npm - create-nextblock - Versions diffs - 0.2.78 → 0.8.0 - Mend

create-nextblock 0.2.78 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (413) hide show

package/templates/nextblock-template/lib/ai-model-registry.ts ADDED Viewed

@@ -0,0 +1,522 @@
+import { APICallError } from 'ai';
+export const CORTEX_AI_OPENROUTER_BASE_URL = 'https://openrouter.ai/api/v1';
+export const CORTEX_AI_OPENROUTER_FREE_ROUTER_MODEL = 'openrouter/free';
+export const CORTEX_AI_FREE_MODEL_FALLBACK_REGISTRY = [
+  'qwen/qwen3-next-80b-a3b-instruct:free',
+  'nvidia/nemotron-3-super-120b-a12b:free',
+  'nvidia/nemotron-nano-9b-v2:free',
+] as const;
+export const CORTEX_AI_REQUIRED_MODEL_PARAMETERS = ['tools', 'structured_outputs'] as const;
+const CORTEX_AI_OPTIONAL_MODEL_PARAMETER_MAP = {
+  frequencyPenalty: 'frequency_penalty',
+  logitBias: 'logit_bias',
+  presencePenalty: 'presence_penalty',
+  seed: 'seed',
+  stopSequences: 'stop',
+  temperature: 'temperature',
+  topK: 'top_k',
+  topP: 'top_p',
+} as const;
+export const CORTEX_AI_MODEL_REGISTRY = {
+  defaultFreeRouter: CORTEX_AI_OPENROUTER_FREE_ROUTER_MODEL,
+  defaultStructuredOutputModel: CORTEX_AI_FREE_MODEL_FALLBACK_REGISTRY[0],
+  defaultToolCallingModel: CORTEX_AI_FREE_MODEL_FALLBACK_REGISTRY[0],
+  freeFallbacks: CORTEX_AI_FREE_MODEL_FALLBACK_REGISTRY,
+  structuredJsonPreferred: CORTEX_AI_FREE_MODEL_FALLBACK_REGISTRY,
+  toolCallingPreferred: CORTEX_AI_FREE_MODEL_FALLBACK_REGISTRY,
+} as const;
+export type CortexAiOpenRouterModelId =
+  | typeof CORTEX_AI_OPENROUTER_FREE_ROUTER_MODEL
+  | (typeof CORTEX_AI_FREE_MODEL_FALLBACK_REGISTRY)[number]
+  | (string & {});
+export type CortexAiRoutingCredentialSource = 'env' | 'manual' | 'stored';
+export type CortexAiOpenRouterModelPricing = Record<string, string>;
+export type CortexAiCompatibleOpenRouterModel = {
+  contextLength: number | null;
+  created: number | null;
+  expirationDate: string | null;
+  id: CortexAiOpenRouterModelId;
+  name: string;
+  pricing: CortexAiOpenRouterModelPricing;
+  supportedParameters: readonly string[];
+};
+export type CortexAiStoredModelSelection = {
+  contextLength: number | null;
+  modelId: CortexAiOpenRouterModelId;
+  name: string;
+  pricing: CortexAiOpenRouterModelPricing;
+  supportedParameters: readonly string[];
+  updatedAt: string;
+};
+export type CortexAiRoutingPolicy = {
+  credentialSource: CortexAiRoutingCredentialSource;
+  ignoredRequestedModelId: CortexAiOpenRouterModelId | null;
+  modelIds: readonly CortexAiOpenRouterModelId[];
+  modelSelection: CortexAiStoredModelSelection | null;
+};
+export type CortexAiModelAttempt = {
+  errorMessage?: string;
+  modelId: CortexAiOpenRouterModelId;
+  rateLimited: boolean;
+  status: 'success' | 'rate_limited' | 'retried' | 'failed';
+};
+export class CortexAiRoutingError extends Error {
+  readonly attempts: readonly CortexAiModelAttempt[];
+  constructor(message: string, attempts: readonly CortexAiModelAttempt[], cause?: unknown) {
+    super(message);
+    this.name = 'CortexAiRoutingError';
+    this.attempts = attempts;
+    this.cause = cause;
+  }
+}
+function uniqueModelIds(modelIds: readonly CortexAiOpenRouterModelId[]) {
+  return Array.from(new Set(modelIds.filter(Boolean)));
+}
+function readRecord(value: unknown): Record<string, unknown> | null {
+  return value && typeof value === 'object' && !Array.isArray(value)
+    ? (value as Record<string, unknown>)
+    : null;
+}
+function readString(value: unknown) {
+  return typeof value === 'string' && value.trim() ? value.trim() : null;
+}
+function readStringArray(value: unknown) {
+  return Array.isArray(value)
+    ? value.filter((item): item is string => typeof item === 'string' && item.trim().length > 0)
+    : [];
+}
+function readNumberLike(value: unknown) {
+  const parsed = typeof value === 'number' ? value : Number(value);
+  return Number.isFinite(parsed) ? parsed : null;
+}
+function readStringRecord(value: unknown): CortexAiOpenRouterModelPricing {
+  const record = readRecord(value);
+  if (!record) {
+    return {};
+  }
+  return Object.fromEntries(
+    Object.entries(record)
+      .filter(([, entryValue]) => entryValue !== null && entryValue !== undefined)
+      .map(([key, entryValue]) => [key, String(entryValue)])
+  );
+}
+function supportsRequiredModelParameters(supportedParameters: readonly string[]) {
+  const supported = new Set(supportedParameters);
+  return CORTEX_AI_REQUIRED_MODEL_PARAMETERS.every((parameter) => supported.has(parameter));
+}
+function isTextOutputModel(record: Record<string, unknown>) {
+  const architecture = readRecord(record.architecture);
+  return readStringArray(architecture?.output_modalities).includes('text');
+}
+function getExpirationTimestamp(value: unknown) {
+  if (value === null || value === undefined) {
+    return null;
+  }
+  if (typeof value === 'number') {
+    return value > 10_000_000_000 ? value : value * 1000;
+  }
+  if (typeof value === 'string' && value.trim()) {
+    const parsed = Date.parse(value);
+    return Number.isFinite(parsed) ? parsed : null;
+  }
+  return null;
+}
+function isExpiredOpenRouterModel(value: unknown, now: Date) {
+  const expirationTimestamp = getExpirationTimestamp(value);
+  return expirationTimestamp !== null && expirationTimestamp <= now.getTime();
+}
+function readOpenRouterModelContextLength(record: Record<string, unknown>) {
+  const topProvider = readRecord(record.top_provider);
+  return (
+    readNumberLike(record.context_length) ??
+    readNumberLike(record.contextLength) ??
+    readNumberLike(topProvider?.context_length) ??
+    null
+  );
+}
+function readOpenRouterModelExpirationDate(record: Record<string, unknown>) {
+  const expirationDate = record.expiration_date ?? record.expirationDate;
+  return typeof expirationDate === 'string' && expirationDate.trim()
+    ? expirationDate.trim()
+    : null;
+}
+export function isCortexAiFreeModelId(modelId: CortexAiOpenRouterModelId | null | undefined) {
+  return Boolean(
+    modelId &&
+      (CORTEX_AI_FREE_MODEL_FALLBACK_REGISTRY as readonly string[]).includes(modelId)
+  );
+}
+export function safeParseCortexAiModelSelection(
+  value: unknown
+): CortexAiStoredModelSelection | null {
+  const record = readRecord(value);
+  if (!record) {
+    return null;
+  }
+  const modelId = readString(record.modelId);
+  const name = readString(record.name);
+  const supportedParameters = readStringArray(record.supportedParameters);
+  const updatedAt = readString(record.updatedAt);
+  if (!modelId || !name || !updatedAt || !supportsRequiredModelParameters(supportedParameters)) {
+    return null;
+  }
+  return {
+    contextLength: readNumberLike(record.contextLength),
+    modelId,
+    name,
+    pricing: readStringRecord(record.pricing),
+    supportedParameters,
+    updatedAt,
+  };
+}
+export function createCortexAiStoredModelSelection(
+  model: CortexAiCompatibleOpenRouterModel,
+  now = new Date()
+): CortexAiStoredModelSelection {
+  return {
+    contextLength: model.contextLength,
+    modelId: model.id,
+    name: model.name,
+    pricing: model.pricing,
+    supportedParameters: [...model.supportedParameters],
+    updatedAt: now.toISOString(),
+  };
+}
+export function filterCortexAiCompatibleOpenRouterModels(
+  value: unknown,
+  now = new Date()
+): CortexAiCompatibleOpenRouterModel[] {
+  const root = readRecord(value);
+  const rawModels = Array.isArray(value)
+    ? value
+    : Array.isArray(root?.data)
+      ? root.data
+      : [];
+  const compatibleModels: CortexAiCompatibleOpenRouterModel[] = [];
+  for (const rawModel of rawModels) {
+    const record = readRecord(rawModel);
+    const id = readString(record?.id);
+    const name = readString(record?.name);
+    const supportedParameters = readStringArray(record?.supported_parameters);
+    if (
+      !record ||
+      !id ||
+      !name ||
+      !isTextOutputModel(record) ||
+      isExpiredOpenRouterModel(record.expiration_date, now) ||
+      !supportsRequiredModelParameters(supportedParameters)
+    ) {
+      continue;
+    }
+    compatibleModels.push({
+      contextLength: readOpenRouterModelContextLength(record),
+      created: readNumberLike(record.created),
+      expirationDate: readOpenRouterModelExpirationDate(record),
+      id,
+      name,
+      pricing: readStringRecord(record.pricing),
+      supportedParameters,
+    });
+  }
+  return compatibleModels.sort((left, right) => left.name.localeCompare(right.name));
+}
+export function buildCortexAiModelFallbackChain(params?: {
+  fallbackModelIds?: readonly CortexAiOpenRouterModelId[];
+  modelId?: CortexAiOpenRouterModelId | null;
+}) {
+  return uniqueModelIds([
+    params?.modelId || CORTEX_AI_FREE_MODEL_FALLBACK_REGISTRY[0],
+    ...(params?.fallbackModelIds || CORTEX_AI_FREE_MODEL_FALLBACK_REGISTRY),
+  ]);
+}
+export function buildCortexAiRoutingPolicy(params: {
+  credentialSource: CortexAiRoutingCredentialSource;
+  fallbackModelIds?: readonly CortexAiOpenRouterModelId[];
+  requestedModelId?: CortexAiOpenRouterModelId | null;
+  selectedModel?: CortexAiStoredModelSelection | null;
+}): CortexAiRoutingPolicy {
+  const requestedModelId = params.requestedModelId?.trim() || null;
+  if (params.credentialSource === 'env') {
+    return {
+      credentialSource: params.credentialSource,
+      ignoredRequestedModelId:
+        requestedModelId && !isCortexAiFreeModelId(requestedModelId)
+          ? requestedModelId
+          : null,
+      modelIds: [...CORTEX_AI_FREE_MODEL_FALLBACK_REGISTRY],
+      modelSelection: null,
+    };
+  }
+  const fallbackModelIds = uniqueModelIds(
+    params.fallbackModelIds?.length
+      ? params.fallbackModelIds
+      : CORTEX_AI_FREE_MODEL_FALLBACK_REGISTRY
+  );
+  const preferredModelId =
+    params.credentialSource === 'stored'
+      ? params.selectedModel?.modelId || fallbackModelIds[0]
+      : requestedModelId || params.selectedModel?.modelId || fallbackModelIds[0];
+  return {
+    credentialSource: params.credentialSource,
+    ignoredRequestedModelId:
+      params.credentialSource === 'stored' &&
+      requestedModelId &&
+      requestedModelId !== preferredModelId
+        ? requestedModelId
+        : null,
+    modelIds: uniqueModelIds([preferredModelId, ...fallbackModelIds]),
+    modelSelection: params.selectedModel || null,
+  };
+}
+export function omitUnsupportedCortexAiModelOptions<TOptions extends Record<string, unknown>>(
+  options: TOptions,
+  params: {
+    modelId: CortexAiOpenRouterModelId;
+    modelSelection?: CortexAiStoredModelSelection | null;
+  }
+): TOptions {
+  const modelSelection = params.modelSelection;
+  if (!modelSelection || modelSelection.modelId !== params.modelId) {
+    return options;
+  }
+  const supportedParameters = new Set(modelSelection.supportedParameters);
+  const unsupportedOptionKeys = Object.entries(CORTEX_AI_OPTIONAL_MODEL_PARAMETER_MAP)
+    .filter(([optionKey, parameterName]) => optionKey in options && !supportedParameters.has(parameterName))
+    .map(([optionKey]) => optionKey);
+  if (unsupportedOptionKeys.length === 0) {
+    return options;
+  }
+  const nextOptions = { ...options };
+  for (const optionKey of unsupportedOptionKeys) {
+    delete nextOptions[optionKey as keyof TOptions];
+  }
+  return nextOptions;
+}
+function readNumericProperty(value: unknown, property: string) {
+  if (!value || typeof value !== 'object' || !(property in value)) {
+    return null;
+  }
+  const raw = (value as Record<string, unknown>)[property];
+  const parsed = typeof raw === 'number' ? raw : Number(raw);
+  return Number.isFinite(parsed) ? parsed : null;
+}
+export function getHttpStatusCode(error: unknown): number | null {
+  if (APICallError.isInstance(error)) {
+    return error.statusCode ?? null;
+  }
+  const directStatus = readNumericProperty(error, 'statusCode') ?? readNumericProperty(error, 'status');
+  if (directStatus) {
+    return directStatus;
+  }
+  if (error && typeof error === 'object' && 'response' in error) {
+    const response = (error as { response?: unknown }).response;
+    const responseStatus = readNumericProperty(response, 'status');
+    if (responseStatus) {
+      return responseStatus;
+    }
+  }
+  if (error && typeof error === 'object' && 'cause' in error) {
+    return getHttpStatusCode((error as { cause?: unknown }).cause);
+  }
+  return null;
+}
+export function isOpenRouterRateLimitError(error: unknown) {
+  return getHttpStatusCode(error) === 429;
+}
+function getDeepErrorMessage(error: unknown): string {
+  if (!error) {
+    return '';
+  }
+  if (error instanceof Error) {
+    const causeMessage = 'cause' in error ? getDeepErrorMessage(error.cause) : '';
+    return [error.message, causeMessage].filter(Boolean).join('\n');
+  }
+  if (typeof error === 'object') {
+    const record = error as Record<string, unknown>;
+    return ['message', 'error', 'text', 'cause']
+      .map((key) => getDeepErrorMessage(record[key]))
+      .filter(Boolean)
+      .join('\n');
+  }
+  return String(error);
+}
+export function isOpenRouterRecoverableRoutingError(error: unknown) {
+  if (isOpenRouterRateLimitError(error)) {
+    return true;
+  }
+  return /No endpoints found|no longer available|not available as a free model|transitioned to a paid model/i.test(
+    getDeepErrorMessage(error)
+  );
+}
+function truncateErrorMessage(message: string, maxLength = 900) {
+  const normalized = message.replace(/\s+/g, ' ').trim();
+  return normalized.length > maxLength
+    ? `${normalized.slice(0, maxLength - 1).trimEnd()}...`
+    : normalized;
+}
+function getErrorMessage(error: unknown) {
+  const message = getDeepErrorMessage(error);
+  return message ? truncateErrorMessage(message) : 'Unknown OpenRouter error.';
+}
+export function summarizeCortexAiRoutingError(
+  error: unknown,
+  fallbackMessage = 'Cortex AI request failed.'
+) {
+  if (error instanceof CortexAiRoutingError) {
+    const attemptMessages = error.attempts
+      .map((attempt) => attempt.errorMessage)
+      .filter((message): message is string => Boolean(message?.trim()));
+    const firstAttemptMessage = attemptMessages[0];
+    const lastAttemptMessage = attemptMessages[attemptMessages.length - 1];
+    const causeMessage = truncateErrorMessage(getDeepErrorMessage(error.cause));
+    if (
+      firstAttemptMessage &&
+      lastAttemptMessage &&
+      firstAttemptMessage !== lastAttemptMessage
+    ) {
+      return `First model error: ${firstAttemptMessage} Last model error: ${lastAttemptMessage}`;
+    }
+    return lastAttemptMessage || firstAttemptMessage || causeMessage || error.message;
+  }
+  return truncateErrorMessage(getDeepErrorMessage(error)) || fallbackMessage;
+}
+export async function runWithCortexAiModelFallback<T>(params: {
+  execute: (modelId: CortexAiOpenRouterModelId) => Promise<T>;
+  modelIds: readonly CortexAiOpenRouterModelId[];
+  shouldRetry?: (error: unknown) => boolean;
+}): Promise<{
+  attempts: readonly CortexAiModelAttempt[];
+  modelId: CortexAiOpenRouterModelId;
+  result: T;
+}> {
+  const modelIds = uniqueModelIds(params.modelIds);
+  const shouldRetry = params.shouldRetry || isOpenRouterRecoverableRoutingError;
+  let attempts: readonly CortexAiModelAttempt[] = [];
+  let lastError: unknown = null;
+  for (const modelId of modelIds) {
+    try {
+      const result = await params.execute(modelId);
+      attempts = [
+        ...attempts,
+        {
+          modelId,
+          rateLimited: false,
+          status: 'success',
+        },
+      ];
+      return {
+        attempts,
+        modelId,
+        result,
+      };
+    } catch (error) {
+      const rateLimited = isOpenRouterRateLimitError(error);
+      const retryable = shouldRetry(error);
+      lastError = error;
+      attempts = [
+        ...attempts,
+        {
+          errorMessage: getErrorMessage(error),
+          modelId,
+          rateLimited,
+          status: rateLimited ? 'rate_limited' : retryable ? 'retried' : 'failed',
+        },
+      ];
+      if (!retryable) {
+        throw new CortexAiRoutingError(
+          `OpenRouter request failed for model "${modelId}".`,
+          attempts,
+          error
+        );
+      }
+    }
+  }
+  throw new CortexAiRoutingError(
+    'OpenRouter fallback exhausted all configured Cortex AI models.',
+    attempts,
+    lastError
+  );
+}

package/templates/nextblock-template/lib/auth/cookies.ts ADDED Viewed

@@ -0,0 +1,47 @@
+// Server-only cookie helpers for the 2FA / trusted-device flow.
+// All three cookies are HttpOnly so they are never readable from JS.
+import { cookies } from 'next/headers';
+/** Long-lived "remember this device" token (raw token; its SHA-256 is in the DB). */
+export const TRUSTED_DEVICE_COOKIE = 'nb_trusted_device';
+/** Signed marker proving the email second factor was satisfied this session. */
+export const TWO_FACTOR_COOKIE = 'nb_2fa_verified';
+/** Short-lived flag carrying the "remember me" checkbox from login to post-2FA. */
+export const REMEMBER_INTENT_COOKIE = 'nb_remember_intent';
+const isProd = process.env.NODE_ENV === 'production';
+export async function setSecureCookie(
+  name: string,
+  value: string,
+  maxAgeSeconds: number,
+): Promise<void> {
+  const store = await cookies();
+  store.set({
+    name,
+    value,
+    httpOnly: true,
+    secure: isProd,
+    sameSite: 'lax',
+    path: '/',
+    maxAge: maxAgeSeconds,
+  });
+}
+export async function getCookieValue(name: string): Promise<string | null> {
+  const store = await cookies();
+  return store.get(name)?.value ?? null;
+}
+export async function clearCookie(name: string): Promise<void> {
+  const store = await cookies();
+  store.set({
+    name,
+    value: '',
+    httpOnly: true,
+    secure: isProd,
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 0,
+  });
+}

package/templates/nextblock-template/lib/auth/crypto.ts ADDED Viewed

@@ -0,0 +1,42 @@
+// Server-only crypto helpers for 2FA tokens, trusted-device hashing, and the
+// signed "second factor satisfied" session marker. Uses Node's crypto module.
+import crypto from 'node:crypto';
+/** SHA-256 hex digest. Used to store device/code hashes (never the raw value). */
+export function sha256Hex(input: string): string {
+  return crypto.createHash('sha256').update(input).digest('hex');
+}
+/** Cryptographically random URL-safe token (default 32 bytes -> 43 chars). */
+export function randomToken(bytes = 32): string {
+  return crypto.randomBytes(bytes).toString('base64url');
+}
+/** Random fixed-length numeric code, e.g. a 6-digit email 2FA code. */
+export function generateNumericCode(digits = 6): string {
+  const max = 10 ** digits;
+  return crypto.randomInt(0, max).toString().padStart(digits, '0');
+}
+function getSecret(): string {
+  // Dedicated secret if provided, otherwise fall back to the service-role key
+  // (server-only, never shipped to the client).
+  const secret = process.env.NB_2FA_SECRET || process.env.SUPABASE_SERVICE_ROLE_KEY;
+  if (!secret) {
+    throw new Error('Missing NB_2FA_SECRET / SUPABASE_SERVICE_ROLE_KEY for 2FA signing.');
+  }
+  return secret;
+}
+/** HMAC-SHA256 signature (base64url) of an arbitrary payload string. */
+export function hmacSign(payload: string): string {
+  return crypto.createHmac('sha256', getSecret()).update(payload).digest('base64url');
+}
+/** Constant-time string comparison that never throws on length mismatch. */
+export function safeEqual(a: string, b: string): boolean {
+  const ab = Buffer.from(a);
+  const bb = Buffer.from(b);
+  if (ab.length !== bb.length) return false;
+  return crypto.timingSafeEqual(ab, bb);
+}

package/templates/nextblock-template/lib/auth/trustedDevices.ts ADDED Viewed

@@ -0,0 +1,92 @@
+// Server-only trusted-device ("Remember this device") helpers.
+//
+// Trust is server-validated: the cookie holds only a random token, and a bypass
+// is honoured ONLY when a non-expired user_trusted_devices row matches its
+// SHA-256. Deleting the row instantly revokes trust, regardless of the cookie.
+import { createClient, getServiceRoleSupabaseClient } from '@nextblock-cms/db/server';
+import { getSecuritySettings } from '../privacy/settings';
+import { randomToken, sha256Hex } from './crypto';
+import {
+  TRUSTED_DEVICE_COOKIE,
+  clearCookie,
+  getCookieValue,
+  setSecureCookie,
+} from './cookies';
+export interface TrustedDeviceRow {
+  id: string;
+  browser_metadata: string | null;
+  created_at: string;
+  expires_at: string;
+}
+/** Mint a trusted-device token, persist its hash, and set the cookie. */
+export async function issueTrustedDevice(
+  userId: string,
+  browserMetadata: string | null,
+): Promise<void> {
+  const { trusted_device_days } = await getSecuritySettings();
+  const maxAgeSeconds = trusted_device_days * 24 * 60 * 60;
+  const token = randomToken(32);
+  const expiresAt = new Date(Date.now() + maxAgeSeconds * 1000).toISOString();
+  const svc = getServiceRoleSupabaseClient();
+  const { error } = await svc.from('user_trusted_devices').insert({
+    user_id: userId,
+    device_hash: sha256Hex(token),
+    browser_metadata: browserMetadata ? browserMetadata.slice(0, 500) : null,
+    expires_at: expiresAt,
+  });
+  if (error) {
+    console.error('Failed to persist trusted device:', error.message);
+    return; // Non-fatal: the user simply isn't remembered.
+  }
+  await setSecureCookie(TRUSTED_DEVICE_COOKIE, token, maxAgeSeconds);
+}
+/** True when the current request carries a cookie matching a live trusted row. */
+export async function hasValidTrustedDevice(userId: string): Promise<boolean> {
+  const token = await getCookieValue(TRUSTED_DEVICE_COOKIE);
+  if (!token) return false;
+  const svc = getServiceRoleSupabaseClient();
+  const { data } = await svc
+    .from('user_trusted_devices')
+    .select('id')
+    .eq('user_id', userId)
+    .eq('device_hash', sha256Hex(token))
+    .gt('expires_at', new Date().toISOString())
+    .maybeSingle();
+  return Boolean(data);
+}
+/** List the signed-in user's trusted devices (RLS scopes to their own rows). */
+export async function listTrustedDevices(userId: string): Promise<TrustedDeviceRow[]> {
+  const supabase = createClient();
+  const { data } = await supabase
+    .from('user_trusted_devices')
+    .select('id, browser_metadata, created_at, expires_at')
+    .eq('user_id', userId)
+    .order('created_at', { ascending: false });
+  return data ?? [];
+}
+/** Revoke one trusted device the user owns (RLS prevents touching others'). */
+export async function revokeTrustedDevice(userId: string, id: string): Promise<void> {
+  const supabase = createClient();
+  const { error } = await supabase
+    .from('user_trusted_devices')
+    .delete()
+    .eq('id', id)
+    .eq('user_id', userId);
+  if (error) {
+    console.error('Failed to revoke trusted device:', error.message);
+    throw new Error('Failed to revoke device.');
+  }
+}
+/** Drop all of a user's trusted devices and the local cookie (e.g. on MFA disable). */
+export async function revokeAllTrustedDevices(userId: string): Promise<void> {
+  const svc = getServiceRoleSupabaseClient();
+  await svc.from('user_trusted_devices').delete().eq('user_id', userId);
+  await clearCookie(TRUSTED_DEVICE_COOKIE);
+}