kavachos 0.0.2 → 0.0.3

package/dist/index.js

@@ -1,19 +1,319 @@
-import { createAgentModule } from './chunk-I4J4KKKK.js';
-export { createAgentModule } from './chunk-I4J4KKKK.js';
-export { bearerAuth, customAuth, headerAuth } from './chunk-7RKVTHFC.js';
-import { createPermissionEngine } from './chunk-DEVV32BE.js';
-export { createPermissionEngine, getPermissionTemplate, permissionTemplates } from './chunk-DEVV32BE.js';
-import { createAuditModule } from './chunk-N7VZO6SP.js';
-export { createAuditModule } from './chunk-N7VZO6SP.js';
-import { schema_exports, delegationChains, mcpServers, sessions } from './chunk-UEE7OYLG.js';
-export { agents, auditLogs, delegationChains, mcpServers, oauthAccessTokens, oauthAuthorizationCodes, oauthClients, permissions, rateLimits, sessions, users } from './chunk-UEE7OYLG.js';
+import { createAgentModule } from './chunk-5DT4DN4Y.js';
+export { createAgentModule } from './chunk-5DT4DN4Y.js';
+import { createSessionManager, createMagicLinkModule, createEmailOtpModule, createTotpModule, createPasskeyModule, createOrgModule, createSsoModule, createAdminModule, createApiKeyManagerModule, createUsernameAuthModule, createPhoneAuthModule, createCaptchaModule, createWebhookModule } from './chunk-KL6XW4S4.js';
+export { HibpApiError, HibpBreachedError, OAuthProxyError, OneTapVerifyError, SSO_ERROR, SsoError, additionalFields, admin, anonymousAuth, apiKeys, bearerAuth, createAdditionalFieldsModule, createAdminModule, createAnonymousAuthModule, createApiKeyManagerModule, createCaptchaModule, createCustomSessionModule, createDeviceAuthModule, createEmailOtpModule, createGdprModule, createHibpModule, createJwtSessionModule, createLastLoginModule, createMagicLinkModule, createOAuthProxyModule, createOidcProviderModule, createOneTapModule, createOneTimeTokenModule, createOpenApiModule, createOrgModule, createPasskeyModule, createPhoneAuthModule, createPolarModule, createRateLimiter, createScimModule, createSessionManager, createSiweModule, createSsoModule, createStripeModule, createTotpModule, createTrustedDeviceModule, createUsernameAuthModule, customAuth, customSession, deviceAuth, deviceLabelFromRequest, emailOtp, gdpr, headerAuth, magicLink, oauthProxy, oneTap, organization, passkey, polar, scim, siwe, stripe, twoFactor, withRateLimit } from './chunk-KL6XW4S4.js';
+import { createPermissionEngine } from './chunk-OVGNZ5OX.js';
+export { createPermissionEngine, getPermissionTemplate, permissionTemplates } from './chunk-OVGNZ5OX.js';
+import { createAuditModule } from './chunk-SJGSPIAD.js';
+export { createAuditModule } from './chunk-SJGSPIAD.js';
+import { schema_exports, approvalRequests, sessions, delegationChains, agentDids, mcpServers, budgetPolicies, agents, permissions, auditLogs, tenants, trustScores } from './chunk-V66UUIA7.js';
+export { agentCards, agentDids, agents, apiKeys as apiKeysTable, approvalRequests, auditLogs, budgetPolicies, delegationChains, emailOtps, magicLinks, mcpServers, oauthAccessTokens, oauthAuthorizationCodes, oauthClients, orgInvitations, orgMembers, orgRoles, organizations, passkeyChallenges, passkeyCredentials, permissions, rateLimits, sessions, ssoConnections, tenants, totpRecords, trustScores, users } from './chunk-V66UUIA7.js';
 import './chunk-PZ5AY32C.js';
+import { eq, and, lt, ne, or, isNull, gte } from 'drizzle-orm';
+import { randomUUID } from 'crypto';
 import BetterSqlite3 from 'better-sqlite3';
 import { drizzle } from 'drizzle-orm/better-sqlite3';
-import { createSecretKey, randomUUID } from 'crypto';
-import { and, eq } from 'drizzle-orm';
-import { SignJWT, jwtVerify } from 'jose';
+import { generateKeyPair, exportJWK, importJWK, SignJWT, jwtVerify } from 'jose';
 
+var DEFAULT_LOOKBACK_DAYS = 30;
+function isWildcard(value) {
+  return value === "*" || value.endsWith(":*") || value.endsWith("/*");
+}
+function deriveScore(findings) {
+  const hasCritical = findings.some((f) => f.severity === "critical");
+  const wildcardCount = findings.filter((f) => f.type === "wildcard_permission").length;
+  const warningCount = findings.filter((f) => f.severity === "warning").length;
+  if (hasCritical || wildcardCount >= 2) return "wildcard-heavy";
+  if (wildcardCount === 1 || warningCount >= 2) return "over-permissioned";
+  if (findings.length === 0) return "minimal";
+  return "appropriate";
+}
+function buildRecommendations(findings, usedResources) {
+  const recs = [];
+  for (const finding of findings) {
+    if (finding.type === "wildcard_permission" && finding.permission) {
+      const { resource, actions } = finding.permission;
+      const wildcardBase = resource.replace(/:?\*$/, "");
+      const relevantUsed = [...usedResources].filter(
+        (r) => wildcardBase ? r.startsWith(wildcardBase) : true
+      );
+      if (relevantUsed.length > 0) {
+        recs.push(`Narrow \`${resource}\` to \`${relevantUsed.join(", ")}\``);
+      } else {
+        recs.push(`Remove unused wildcard permission \`${resource}\``);
+      }
+      if (actions.includes("*")) {
+        const usedActions = ["read"];
+        recs.push(
+          `Replace wildcard actions on \`${resource}\` with explicit actions: ${usedActions.join(", ")}`
+        );
+      }
+    }
+    if (finding.type === "unused_permission" && finding.permission) {
+      recs.push(
+        `Remove unused permission \`${finding.permission.resource}\` (no activity in last ${DEFAULT_LOOKBACK_DAYS} days)`
+      );
+    }
+    if (finding.type === "overly_broad" && finding.permission) {
+      const { resource } = finding.permission;
+      const relevantUsed = [...usedResources].filter((r) => {
+        const prefix = resource.replace(/:?\*$/, "");
+        return r.startsWith(prefix);
+      });
+      if (relevantUsed.length > 0) {
+        recs.push(
+          `Narrow \`${resource}\` to the specific resources used: \`${relevantUsed.join(", ")}\``
+        );
+      }
+    }
+    if (finding.type === "no_constraints") {
+      recs.push("Add rate limits or approval gates to sensitive permissions");
+    }
+    if (finding.type === "no_expiry") {
+      recs.push("Set an expiry date on this agent to enforce periodic credential rotation");
+    }
+  }
+  return [...new Set(recs)];
+}
+function createPrivilegeAnalyzer(db) {
+  async function analyzeAgent(agentId, options) {
+    const agentRows = await db.select({ id: agents.id, name: agents.name, expiresAt: agents.expiresAt }).from(agents).where(eq(agents.id, agentId)).limit(1);
+    const agent = agentRows[0];
+    if (!agent) {
+      return {
+        agentId,
+        agentName: "unknown",
+        score: "appropriate",
+        findings: [],
+        recommendations: []
+      };
+    }
+    const permRows = await db.select({
+      resource: permissions.resource,
+      actions: permissions.actions,
+      constraints: permissions.constraints
+    }).from(permissions).where(eq(permissions.agentId, agentId));
+    const agentPermissions = permRows.map((r) => ({
+      resource: r.resource,
+      actions: r.actions,
+      constraints: r.constraints ?? void 0
+    }));
+    const since = options?.since ?? new Date(Date.now() - DEFAULT_LOOKBACK_DAYS * 24 * 60 * 60 * 1e3);
+    const auditRows = await db.select({ resource: auditLogs.resource, action: auditLogs.action }).from(auditLogs).where(and(eq(auditLogs.agentId, agentId), gte(auditLogs.timestamp, since)));
+    const usedResources = new Set(auditRows.map((r) => r.resource));
+    const findings = [];
+    for (const perm of agentPermissions) {
+      const hasWildcardResource = isWildcard(perm.resource);
+      const hasWildcardAction = perm.actions.includes("*");
+      if (hasWildcardResource || hasWildcardAction) {
+        findings.push({
+          type: "wildcard_permission",
+          severity: "critical",
+          description: hasWildcardResource ? `Permission resource \`${perm.resource}\` uses a wildcard` : `Permission \`${perm.resource}\` has wildcard action \`*\``,
+          permission: { resource: perm.resource, actions: perm.actions }
+        });
+        continue;
+      }
+      const wasUsed = [...usedResources].some((used) => {
+        if (perm.resource === used) return true;
+        const permBase = perm.resource.replace(/:?\*$/, "");
+        return used.startsWith(permBase);
+      });
+      if (!wasUsed) {
+        findings.push({
+          type: "unused_permission",
+          severity: "warning",
+          description: `Permission \`${perm.resource}\` has not been used in the last ${DEFAULT_LOOKBACK_DAYS} days`,
+          permission: { resource: perm.resource, actions: perm.actions }
+        });
+      }
+      if (perm.resource.includes(":")) {
+        const permBase = perm.resource.replace(/:?\*$/, "");
+        const coveredUsed = [...usedResources].filter((r) => r.startsWith(permBase));
+        if (coveredUsed.length > 0 && coveredUsed.length < 3) {
+          const segments = perm.resource.split(":");
+          if (segments.length <= 2 && coveredUsed.every((r) => r.split(":").length > segments.length)) {
+            findings.push({
+              type: "overly_broad",
+              severity: "warning",
+              description: `Permission \`${perm.resource}\` is broader than necessary; only \`${coveredUsed.join(", ")}\` was actually used`,
+              permission: { resource: perm.resource, actions: perm.actions }
+            });
+          }
+        }
+      }
+      const hasConstraints = perm.constraints && (perm.constraints.maxCallsPerHour !== void 0 || perm.constraints.timeWindow !== void 0 || perm.constraints.requireApproval === true || perm.constraints.ipAllowlist && perm.constraints.ipAllowlist.length > 0);
+      if (!hasConstraints) {
+        findings.push({
+          type: "no_constraints",
+          severity: "info",
+          description: `Permission \`${perm.resource}\` has no rate limits, time windows, or approval gates`,
+          permission: { resource: perm.resource, actions: perm.actions }
+        });
+      }
+    }
+    if (!agent.expiresAt) {
+      findings.push({
+        type: "no_expiry",
+        severity: "info",
+        description: "Agent has no expiry date set"
+      });
+    }
+    const score = deriveScore(findings);
+    const recommendations = buildRecommendations(findings, usedResources);
+    return {
+      agentId,
+      agentName: agent.name,
+      score,
+      findings,
+      recommendations
+    };
+  }
+  async function analyzeAll(options) {
+    const activeAgents = await db.select({ id: agents.id }).from(agents).where(eq(agents.status, "active"));
+    const results = await Promise.all(activeAgents.map((a) => analyzeAgent(a.id, options)));
+    return results;
+  }
+  async function getSummary() {
+    const analyses = await analyzeAll();
+    const byScore = {};
+    let criticalFindings = 0;
+    for (const analysis of analyses) {
+      byScore[analysis.score] = (byScore[analysis.score] ?? 0) + 1;
+      criticalFindings += analysis.findings.filter((f) => f.severity === "critical").length;
+    }
+    return {
+      total: analyses.length,
+      byScore,
+      criticalFindings
+    };
+  }
+  return { analyzeAgent, analyzeAll, getSummary };
+}
+function rowToApproval(row) {
+  return {
+    id: row.id,
+    agentId: row.agentId,
+    userId: row.userId,
+    action: row.action,
+    resource: row.resource,
+    arguments: row.arguments ?? void 0,
+    status: row.status,
+    expiresAt: row.expiresAt,
+    respondedAt: row.respondedAt ?? void 0,
+    respondedBy: row.respondedBy ?? void 0,
+    createdAt: row.createdAt
+  };
+}
+async function notifyWebhook(url, approvalRequest) {
+  try {
+    await fetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        event: "approval_needed",
+        request: {
+          ...approvalRequest,
+          expiresAt: approvalRequest.expiresAt.toISOString(),
+          createdAt: approvalRequest.createdAt.toISOString()
+        }
+      })
+    });
+  } catch {
+  }
+}
+function createApprovalModule(config, db) {
+  const ttlSeconds = config.ttl ?? 300;
+  async function request(input) {
+    const now = /* @__PURE__ */ new Date();
+    const id = `apr_${randomUUID()}`;
+    const expiresAt = new Date(now.getTime() + ttlSeconds * 1e3);
+    await db.insert(approvalRequests).values({
+      id,
+      agentId: input.agentId,
+      userId: input.userId,
+      action: input.action,
+      resource: input.resource,
+      arguments: input.arguments ?? null,
+      status: "pending",
+      expiresAt,
+      respondedAt: null,
+      respondedBy: null,
+      createdAt: now
+    });
+    const approvalRequest = {
+      id,
+      agentId: input.agentId,
+      userId: input.userId,
+      action: input.action,
+      resource: input.resource,
+      arguments: input.arguments,
+      status: "pending",
+      expiresAt,
+      createdAt: now
+    };
+    if (config.webhookUrl) {
+      void notifyWebhook(config.webhookUrl, approvalRequest);
+    }
+    if (config.onApprovalNeeded) {
+      void config.onApprovalNeeded(approvalRequest);
+    }
+    return approvalRequest;
+  }
+  async function resolve(requestId, newStatus, respondedBy) {
+    const rows = await db.select().from(approvalRequests).where(eq(approvalRequests.id, requestId)).limit(1);
+    const row = rows[0];
+    if (!row) {
+      throw new Error(`Approval request "${requestId}" not found`);
+    }
+    if (row.status !== "pending") {
+      throw new Error(
+        `Approval request "${requestId}" is already ${row.status} and cannot be updated`
+      );
+    }
+    const now = /* @__PURE__ */ new Date();
+    await db.update(approvalRequests).set({ status: newStatus, respondedAt: now, respondedBy: respondedBy ?? null }).where(eq(approvalRequests.id, requestId));
+    return rowToApproval({
+      ...row,
+      status: newStatus,
+      respondedAt: now,
+      respondedBy: respondedBy ?? null
+    });
+  }
+  async function approve(requestId, respondedBy) {
+    return resolve(requestId, "approved", respondedBy);
+  }
+  async function deny(requestId, respondedBy) {
+    return resolve(requestId, "denied", respondedBy);
+  }
+  async function get(requestId) {
+    const rows = await db.select().from(approvalRequests).where(eq(approvalRequests.id, requestId)).limit(1);
+    const row = rows[0];
+    if (!row) return null;
+    return rowToApproval(row);
+  }
+  async function listPending(userId) {
+    const conditions = [eq(approvalRequests.status, "pending")];
+    if (userId) conditions.push(eq(approvalRequests.userId, userId));
+    const rows = await db.select().from(approvalRequests).where(and(...conditions));
+    return rows.map(rowToApproval);
+  }
+  async function cleanup() {
+    const now = /* @__PURE__ */ new Date();
+    const expiredRows = await db.select({ id: approvalRequests.id }).from(approvalRequests).where(and(eq(approvalRequests.status, "pending"), lt(approvalRequests.expiresAt, now)));
+    if (expiredRows.length === 0) return { expired: 0 };
+    await db.update(approvalRequests).set({ status: "expired" }).where(and(eq(approvalRequests.status, "pending"), lt(approvalRequests.expiresAt, now)));
+    return { expired: expiredRows.length };
+  }
+  return {
+    request,
+    approve,
+    deny,
+    get,
+    listPending,
+    cleanup
+  };
+}
 async function createDatabase(config) {
   if (config.provider === "sqlite") {
     const sqlite = new BetterSqlite3(config.url);
@@ -71,14 +371,43 @@ function buildStatements(provider) {
     // kavach_users
     // ------------------------------------------------------------------
     `CREATE TABLE ${ifne} kavach_users (
-  id          TEXT        NOT NULL PRIMARY KEY,
-  email       TEXT        NOT NULL UNIQUE,
-  name        TEXT,
-  external_id TEXT,
-  external_provider TEXT,
-  metadata    ${json},
-  created_at  ${ts}       NOT NULL,
-  updated_at  ${ts}       NOT NULL
+  id                   TEXT        NOT NULL PRIMARY KEY,
+  email                TEXT        NOT NULL UNIQUE,
+  username             TEXT        UNIQUE,
+  name                 TEXT,
+  external_id          TEXT,
+  external_provider    TEXT,
+  metadata             ${json},
+  banned               ${bool}     NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
+  ban_reason           TEXT,
+  ban_expires_at       ${tsNull},
+  force_password_reset         ${bool}     NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
+  stripe_customer_id           TEXT        UNIQUE,
+  stripe_subscription_id       TEXT,
+  stripe_subscription_status   TEXT,
+  stripe_price_id              TEXT,
+  stripe_current_period_end    ${tsNull},
+  stripe_cancel_at_period_end  ${bool}     NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
+  polar_customer_id            TEXT        UNIQUE,
+  polar_subscription_id        TEXT,
+  polar_subscription_status    TEXT,
+  polar_product_id             TEXT,
+  polar_current_period_end     ${tsNull},
+  polar_cancel_at_period_end   ${bool}     NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
+  created_at                   ${ts}       NOT NULL,
+  updated_at                   ${ts}       NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_tenants  (must come before kavach_agents – agents FK to tenants)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_tenants (
+  id         TEXT NOT NULL PRIMARY KEY,
+  name       TEXT NOT NULL,
+  slug       TEXT NOT NULL UNIQUE,
+  settings   ${json},
+  status     TEXT NOT NULL DEFAULT 'active',
+  created_at ${ts} NOT NULL,
+  updated_at ${ts} NOT NULL
 )`,
     // ------------------------------------------------------------------
     // kavach_agents
@@ -86,6 +415,7 @@ function buildStatements(provider) {
     `CREATE TABLE ${ifne} kavach_agents (
   id              TEXT  NOT NULL PRIMARY KEY,
   owner_id        TEXT  NOT NULL REFERENCES kavach_users(id),
+  tenant_id       TEXT  REFERENCES kavach_tenants(id),
   name            TEXT  NOT NULL,
   type            TEXT  NOT NULL,
   status          TEXT  NOT NULL DEFAULT 'active',
@@ -223,7 +553,328 @@ function buildStatements(provider) {
   resource               TEXT,
   expires_at             ${ts} NOT NULL,
   created_at             ${ts} NOT NULL
-)`
+)`,
+    // ------------------------------------------------------------------
+    // kavach_budget_policies
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_budget_policies (
+  id            TEXT    NOT NULL PRIMARY KEY,
+  agent_id      TEXT    REFERENCES kavach_agents(id) ON DELETE CASCADE,
+  user_id       TEXT    REFERENCES kavach_users(id),
+  tenant_id     TEXT    REFERENCES kavach_tenants(id),
+  limits        ${json} NOT NULL,
+  current_usage ${json} NOT NULL,
+  action        TEXT    NOT NULL DEFAULT 'warn',
+  status        TEXT    NOT NULL DEFAULT 'active',
+  created_at    ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_agent_cards  (A2A discovery)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_agent_cards (
+  id                TEXT    NOT NULL PRIMARY KEY,
+  agent_id          TEXT    NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,
+  name              TEXT    NOT NULL,
+  description       TEXT,
+  version           TEXT    NOT NULL,
+  protocols         ${json} NOT NULL,
+  capabilities      ${json} NOT NULL,
+  auth_requirements ${json} NOT NULL,
+  endpoint          TEXT,
+  metadata          ${json},
+  created_at        ${ts}   NOT NULL,
+  updated_at        ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_approval_requests  (CIBA async approval flows)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_approval_requests (
+  id            TEXT NOT NULL PRIMARY KEY,
+  agent_id      TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,
+  user_id       TEXT NOT NULL REFERENCES kavach_users(id),
+  action        TEXT NOT NULL,
+  resource      TEXT NOT NULL,
+  arguments     ${json},
+  status        TEXT NOT NULL DEFAULT 'pending',
+  expires_at    ${ts} NOT NULL,
+  responded_at  ${tsNull},
+  responded_by  TEXT,
+  created_at    ${ts} NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_trust_scores  (graduated autonomy scoring)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_trust_scores (
+  agent_id    TEXT    NOT NULL PRIMARY KEY REFERENCES kavach_agents(id) ON DELETE CASCADE,
+  score       INTEGER NOT NULL,
+  level       TEXT    NOT NULL,
+  factors     ${json} NOT NULL,
+  computed_at ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_organizations
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_organizations (
+  id         TEXT    NOT NULL PRIMARY KEY,
+  name       TEXT    NOT NULL,
+  slug       TEXT    NOT NULL UNIQUE,
+  owner_id   TEXT    NOT NULL REFERENCES kavach_users(id),
+  metadata   ${json},
+  created_at ${ts}   NOT NULL,
+  updated_at ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_org_members
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_org_members (
+  id        TEXT    NOT NULL PRIMARY KEY,
+  org_id    TEXT    NOT NULL REFERENCES kavach_organizations(id) ON DELETE CASCADE,
+  user_id   TEXT    NOT NULL REFERENCES kavach_users(id),
+  role      TEXT    NOT NULL DEFAULT 'member',
+  joined_at ${ts}   NOT NULL,
+  UNIQUE(org_id, user_id)
+)`,
+    // ------------------------------------------------------------------
+    // kavach_org_invitations
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_org_invitations (
+  id         TEXT    NOT NULL PRIMARY KEY,
+  org_id     TEXT    NOT NULL REFERENCES kavach_organizations(id) ON DELETE CASCADE,
+  email      TEXT    NOT NULL,
+  role       TEXT    NOT NULL DEFAULT 'member',
+  invited_by TEXT    NOT NULL REFERENCES kavach_users(id),
+  status     TEXT    NOT NULL DEFAULT 'pending',
+  expires_at ${ts}   NOT NULL,
+  created_at ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_org_roles
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_org_roles (
+  id          TEXT    NOT NULL PRIMARY KEY,
+  org_id      TEXT    NOT NULL REFERENCES kavach_organizations(id) ON DELETE CASCADE,
+  name        TEXT    NOT NULL,
+  permissions ${json} NOT NULL,
+  UNIQUE(org_id, name)
+)`,
+    // ------------------------------------------------------------------
+    // kavach_passkey_credentials  (WebAuthn / FIDO2 passkeys)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_passkey_credentials (
+  id            TEXT    NOT NULL PRIMARY KEY,
+  user_id       TEXT    NOT NULL REFERENCES kavach_users(id),
+  credential_id TEXT    NOT NULL UNIQUE,
+  public_key    TEXT    NOT NULL,
+  counter       INTEGER NOT NULL DEFAULT 0,
+  device_name   TEXT,
+  transports    TEXT,
+  created_at    ${ts}   NOT NULL,
+  last_used_at  ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_passkey_challenges  (short-lived WebAuthn challenges)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_passkey_challenges (
+  id         TEXT NOT NULL PRIMARY KEY,
+  challenge  TEXT NOT NULL UNIQUE,
+  user_id    TEXT,
+  type       TEXT NOT NULL,
+  expires_at ${ts} NOT NULL,
+  created_at ${ts} NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_one_time_tokens  (email verify, password reset, invitation)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_one_time_tokens (
+  id          TEXT    NOT NULL PRIMARY KEY,
+  token_hash  TEXT    NOT NULL UNIQUE,
+  purpose     TEXT    NOT NULL,
+  identifier  TEXT    NOT NULL,
+  metadata    ${json},
+  used        ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
+  expires_at  ${ts}   NOT NULL,
+  created_at  ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_agent_dids  (W3C Decentralized Identifiers per agent)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_agent_dids (
+  agent_id       TEXT NOT NULL PRIMARY KEY REFERENCES kavach_agents(id) ON DELETE CASCADE,
+  did            TEXT NOT NULL UNIQUE,
+  method         TEXT NOT NULL,
+  public_key_jwk TEXT NOT NULL,
+  did_document   TEXT NOT NULL,
+  created_at     ${ts} NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_magic_links  (passwordless email login)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_magic_links (
+  id         TEXT    NOT NULL PRIMARY KEY,
+  email      TEXT    NOT NULL,
+  token      TEXT    NOT NULL UNIQUE,
+  expires_at ${ts}   NOT NULL,
+  used       ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
+  created_at ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_email_otps  (one-time password login)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_email_otps (
+  id         TEXT    NOT NULL PRIMARY KEY,
+  email      TEXT    NOT NULL,
+  code_hash  TEXT    NOT NULL,
+  expires_at ${ts}   NOT NULL,
+  attempts   INTEGER NOT NULL DEFAULT 0,
+  created_at ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_totp  (TOTP two-factor authentication)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_totp (
+  user_id      TEXT    NOT NULL PRIMARY KEY REFERENCES kavach_users(id),
+  secret       TEXT    NOT NULL,
+  enabled      ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
+  backup_codes ${json} NOT NULL,
+  created_at   ${ts}   NOT NULL,
+  updated_at   ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_sso_connections  (SAML 2.0 / OIDC enterprise SSO)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_sso_connections (
+  id          TEXT    NOT NULL PRIMARY KEY,
+  org_id      TEXT    NOT NULL,
+  provider_id TEXT    NOT NULL,
+  type        TEXT    NOT NULL,
+  domain      TEXT    NOT NULL UNIQUE,
+  enabled     INTEGER NOT NULL DEFAULT 1,
+  created_at  ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_api_keys  (static bearer tokens with permission scopes)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_api_keys (
+  id           TEXT    NOT NULL PRIMARY KEY,
+  user_id      TEXT    NOT NULL REFERENCES kavach_users(id),
+  name         TEXT    NOT NULL,
+  key_hash     TEXT    NOT NULL,
+  key_prefix   TEXT    NOT NULL,
+  permissions  ${json} NOT NULL,
+  expires_at   ${tsNull},
+  last_used_at ${tsNull},
+  created_at   ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_username_accounts  (username + password auth)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_username_accounts (
+  id            TEXT NOT NULL PRIMARY KEY,
+  user_id       TEXT NOT NULL REFERENCES kavach_users(id) ON DELETE CASCADE,
+  username      TEXT NOT NULL UNIQUE,
+  password_hash TEXT NOT NULL,
+  created_at    ${ts} NOT NULL,
+  updated_at    ${ts} NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_phone_verifications  (SMS OTP)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_phone_verifications (
+  id           TEXT    NOT NULL PRIMARY KEY,
+  phone_number TEXT    NOT NULL,
+  code_hash    TEXT    NOT NULL,
+  attempts     INTEGER NOT NULL DEFAULT 0,
+  expires_at   ${ts}   NOT NULL,
+  created_at   ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_trusted_devices  (skip 2FA on trusted devices for a window)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_trusted_devices (
+  id          TEXT NOT NULL PRIMARY KEY,
+  user_id     TEXT NOT NULL REFERENCES kavach_users(id) ON DELETE CASCADE,
+  fingerprint TEXT NOT NULL,
+  label       TEXT NOT NULL,
+  trusted_at  ${ts} NOT NULL,
+  expires_at  ${ts} NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_login_history  (last-login method tracking per user)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_login_history (
+  id         TEXT NOT NULL PRIMARY KEY,
+  user_id    TEXT NOT NULL REFERENCES kavach_users(id) ON DELETE CASCADE,
+  method     TEXT NOT NULL,
+  ip         TEXT,
+  user_agent TEXT,
+  timestamp  ${ts} NOT NULL
+)`,
+    `CREATE INDEX ${ifne} kavach_login_history_user_ts
+  ON kavach_login_history (user_id, timestamp DESC)`,
+    // ------------------------------------------------------------------
+    // kavach_oidc_clients  (OIDC Provider — registered relying parties)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_oidc_clients (
+  id                          TEXT    NOT NULL PRIMARY KEY,
+  client_id                   TEXT    NOT NULL UNIQUE,
+  client_secret_hash          TEXT    NOT NULL,
+  client_name                 TEXT    NOT NULL,
+  redirect_uris               ${json} NOT NULL,
+  grant_types                 ${json} NOT NULL,
+  response_types              ${json} NOT NULL,
+  scopes                      ${json} NOT NULL,
+  token_endpoint_auth_method  TEXT    NOT NULL DEFAULT 'client_secret_post',
+  created_at                  ${ts}   NOT NULL,
+  updated_at                  ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_oidc_auth_codes  (OIDC Provider — authorization codes)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_oidc_auth_codes (
+  id                     TEXT    NOT NULL PRIMARY KEY,
+  code_hash              TEXT    NOT NULL UNIQUE,
+  client_id              TEXT    NOT NULL,
+  user_id                TEXT    NOT NULL,
+  redirect_uri           TEXT    NOT NULL,
+  scopes                 TEXT    NOT NULL,
+  nonce                  TEXT,
+  code_challenge         TEXT,
+  code_challenge_method  TEXT,
+  used                   ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
+  expires_at             ${ts}   NOT NULL,
+  created_at             ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_oidc_refresh_tokens  (OIDC Provider — refresh tokens)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_oidc_refresh_tokens (
+  id          TEXT    NOT NULL PRIMARY KEY,
+  token_hash  TEXT    NOT NULL UNIQUE,
+  client_id   TEXT    NOT NULL,
+  user_id     TEXT    NOT NULL,
+  scopes      TEXT    NOT NULL,
+  revoked     ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
+  expires_at  ${ts}   NOT NULL,
+  created_at  ${ts}   NOT NULL
+)`,
+    // ------------------------------------------------------------------
+    // kavach_jwt_refresh_tokens  (JWT session plugin — general purpose)
+    // ------------------------------------------------------------------
+    `CREATE TABLE ${ifne} kavach_jwt_refresh_tokens (
+  id          TEXT    NOT NULL PRIMARY KEY,
+  token_hash  TEXT    NOT NULL UNIQUE,
+  user_id     TEXT    NOT NULL REFERENCES kavach_users(id) ON DELETE CASCADE,
+  used        ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
+  expires_at  ${ts}   NOT NULL,
+  created_at  ${ts}   NOT NULL
+)`,
+    `CREATE INDEX ${ifne} kavach_jwt_refresh_tokens_user_id
+  ON kavach_jwt_refresh_tokens (user_id)`
+    // ------------------------------------------------------------------
+    // kavach_users ban columns  (ALTER TABLE IF NOT EXISTS — safe no-ops)
+    // These are appended as separate ALTER statements for existing DBs.
+    // For SQLite we use a separate migration path since SQLite ALTER is limited.
+    // ------------------------------------------------------------------
   ];
 }
 async function createTables(db, provider) {
@@ -269,10 +920,10 @@ async function createTables(db, provider) {
 }
 function isPermissionSubset(parentPerms, childPerms) {
   for (const childPerm of childPerms) {
-    const parentMatch = parentPerms.find((p) => {
-      if (!isResourceSubset(p.resource, childPerm.resource)) return false;
+    const parentMatch = parentPerms.find((p2) => {
+      if (!isResourceSubset(p2.resource, childPerm.resource)) return false;
       for (const action of childPerm.actions) {
-        if (!p.actions.includes(action) && !p.actions.includes("*")) return false;
+        if (!p2.actions.includes(action) && !p2.actions.includes("*")) return false;
       }
       return true;
     });
@@ -315,9 +966,9 @@ function createDelegationModule(config) {
       id,
       fromAgentId: input.fromAgent,
       toAgentId: input.toAgent,
-      permissions: input.permissions.map((p) => ({
-        resource: p.resource,
-        actions: p.actions
+      permissions: input.permissions.map((p2) => ({
+        resource: p2.resource,
+        actions: p2.actions
       })),
       depth: currentDepth,
       maxDepth,
@@ -370,9 +1021,9 @@ function createDelegationModule(config) {
       id: c.id,
       fromAgent: c.fromAgentId,
       toAgent: c.toAgentId,
-      permissions: c.permissions.map((p) => ({
-        resource: p.resource,
-        actions: p.actions
+      permissions: c.permissions.map((p2) => ({
+        resource: p2.resource,
+        actions: p2.actions
       })),
       expiresAt: c.expiresAt,
       depth: c.depth,
@@ -381,80 +1032,1469 @@ function createDelegationModule(config) {
   }
   return { delegate, revokeDelegation, getEffectivePermissions, listChains };
 }
-var DEFAULT_MAX_AGE_SECONDS = 60 * 60 * 24 * 7;
-function createSessionManager(config, db) {
-  if (!config.secret || config.secret.length < 32) {
-    throw new Error("SessionManager: secret must be at least 32 characters.");
-  }
-  const maxAge = config.maxAge ?? DEFAULT_MAX_AGE_SECONDS;
-  const keyBytes = new TextEncoder().encode(config.secret);
-  const keyObject = createSecretKey(keyBytes);
-  function rowToSession(row) {
+var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+function base58btcEncode(bytes) {
+  let leadingZeros = 0;
+  for (const byte of bytes) {
+    if (byte !== 0) break;
+    leadingZeros++;
+  }
+  const digits = [0];
+  for (const byte of bytes) {
+    let carry = byte;
+    for (let i = 0; i < digits.length; i++) {
+      carry += (digits[i] ?? 0) * 256;
+      digits[i] = carry % 58;
+      carry = Math.floor(carry / 58);
+    }
+    while (carry > 0) {
+      digits.push(carry % 58);
+      carry = Math.floor(carry / 58);
+    }
+  }
+  const result = digits.reverse().map((d) => BASE58_ALPHABET[d] ?? "1").join("");
+  return "1".repeat(leadingZeros) + result;
+}
+function base64urlToBytes(b64url) {
+  const padded = b64url.replace(/-/g, "+").replace(/_/g, "/");
+  const padLen = (4 - padded.length % 4) % 4;
+  const b64 = padded + "=".repeat(padLen);
+  const binary = atob(b64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function publicKeyJwkToDidKey(publicKeyJwk) {
+  if (!publicKeyJwk.x) {
+    throw new Error("Ed25519 JWK must have an 'x' parameter");
+  }
+  const rawKey = base64urlToBytes(publicKeyJwk.x);
+  const prefix = new Uint8Array([237, 1]);
+  const multicodecKey = new Uint8Array(prefix.length + rawKey.length);
+  multicodecKey.set(prefix);
+  multicodecKey.set(rawKey, prefix.length);
+  return `did:key:z${base58btcEncode(multicodecKey)}`;
+}
+function buildDidDocument(did, publicKeyJwk) {
+  const keyId = `${did}#${did.slice("did:key:".length)}`;
+  const verificationMethod = {
+    id: keyId,
+    type: "JsonWebKey2020",
+    controller: did,
+    publicKeyJwk
+  };
+  return {
+    "@context": ["https://www.w3.org/ns/did/v1", "https://w3id.org/security/suites/jws-2020/v1"],
+    id: did,
+    controller: did,
+    verificationMethod: [verificationMethod],
+    authentication: [keyId],
+    assertionMethod: [keyId],
+    capabilityInvocation: [keyId],
+    capabilityDelegation: [keyId]
+  };
+}
+async function generateDidKey() {
+  const { publicKey, privateKey } = await generateKeyPair("EdDSA", {
+    crv: "Ed25519",
+    extractable: true
+  });
+  const publicKeyJwk = await exportJWK(publicKey);
+  const privateKeyJwk = await exportJWK(privateKey);
+  publicKeyJwk.crv = "Ed25519";
+  publicKeyJwk.kty = "OKP";
+  privateKeyJwk.crv = "Ed25519";
+  privateKeyJwk.kty = "OKP";
+  const did = publicKeyJwkToDidKey(publicKeyJwk);
+  const didDocument = buildDidDocument(did, publicKeyJwk);
+  return {
+    did,
+    publicKeyJwk,
+    privateKeyJwk,
+    didDocument
+  };
+}
+function resolveDidKey(did) {
+  if (!did.startsWith("did:key:z")) return null;
+  const keyId = `${did}#${did.slice("did:key:".length)}`;
+  const verificationMethod = {
+    id: keyId,
+    type: "JsonWebKey2020",
+    controller: did,
+    // Public key JWK is not reconstructed here — callers who need to verify
+    // signatures supply the JWK separately via verifyPayload().
+    publicKeyJwk: { kty: "OKP", crv: "Ed25519" }
+  };
+  return {
+    "@context": ["https://www.w3.org/ns/did/v1", "https://w3id.org/security/suites/jws-2020/v1"],
+    id: did,
+    controller: did,
+    verificationMethod: [verificationMethod],
+    authentication: [keyId],
+    assertionMethod: [keyId],
+    capabilityInvocation: [keyId],
+    capabilityDelegation: [keyId]
+  };
+}
+async function signPayload(payload, privateKeyJwk, did) {
+  const privateKey = await importJWK(privateKeyJwk, "EdDSA");
+  const kid = `${did}#${did.split(":").pop() ?? "key-1"}`;
+  const jws = await new SignJWT(payload).setProtectedHeader({ alg: "EdDSA", kid }).setIssuer(did).setIssuedAt().sign(privateKey);
+  return {
+    jws,
+    payload,
+    issuer: did
+  };
+}
+async function verifyPayload(jws, publicKeyJwk) {
+  try {
+    const publicKey = await importJWK(publicKeyJwk, "EdDSA");
+    const { payload } = await jwtVerify(jws, publicKey);
+    const issuer = typeof payload.iss === "string" ? payload.iss : void 0;
+    const { iss, iat, exp, nbf, jti, aud, sub, ...rest } = payload;
+    void iss;
+    void iat;
+    void exp;
+    void nbf;
+    void jti;
+    void aud;
+    void sub;
+    return {
+      valid: true,
+      payload: rest,
+      issuer
+    };
+  } catch (err) {
     return {
-      id: row.id,
-      userId: row.userId,
-      expiresAt: row.expiresAt,
-      createdAt: row.createdAt,
-      ...row.metadata !== null && { metadata: row.metadata }
+      valid: false,
+      error: err instanceof Error ? err.message : "Verification failed"
     };
   }
-  async function create(userId, metadata) {
-    const id = randomUUID();
-    const now = /* @__PURE__ */ new Date();
-    const expiresAt = new Date(now.getTime() + maxAge * 1e3);
-    await db.insert(sessions).values({
-      id,
-      userId,
-      expiresAt,
-      metadata: metadata ?? null,
-      createdAt: now
-    });
-    const token = await new SignJWT({ sub: id }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(Math.floor(expiresAt.getTime() / 1e3)).sign(keyObject);
-    const session = {
-      id,
-      userId,
-      expiresAt,
-      createdAt: now,
-      ...metadata !== void 0 && { metadata }
+}
+async function createPresentation(options) {
+  const { agentId, did, privateKeyJwk, capabilities, audience, expiresIn = 300 } = options;
+  const privateKey = await importJWK(privateKeyJwk, "EdDSA");
+  const kid = `${did}#${did.split(":").pop() ?? "key-1"}`;
+  const builder = new SignJWT({
+    agentId,
+    capabilities,
+    type: "VerifiablePresentation"
+  }).setProtectedHeader({ alg: "EdDSA", kid }).setIssuer(did).setSubject(agentId).setIssuedAt().setExpirationTime(Math.floor(Date.now() / 1e3) + expiresIn);
+  if (audience) {
+    builder.setAudience(audience);
+  }
+  return builder.sign(privateKey);
+}
+async function verifyPresentation(jwt, publicKeyJwk) {
+  try {
+    const publicKey = await importJWK(publicKeyJwk, "EdDSA");
+    const { payload } = await jwtVerify(jwt, publicKey);
+    const agentId = typeof payload.agentId === "string" ? payload.agentId : void 0;
+    const did = typeof payload.iss === "string" ? payload.iss : void 0;
+    const capabilities = Array.isArray(payload.capabilities) ? payload.capabilities : void 0;
+    return {
+      valid: true,
+      agentId,
+      did,
+      capabilities
+    };
+  } catch (err) {
+    return {
+      valid: false,
+      error: err instanceof Error ? err.message : "Presentation verification failed"
     };
-    return { session, token };
   }
-  async function validate(token) {
-    let sessionId;
-    try {
-      const { payload } = await jwtVerify(token, keyObject);
-      if (typeof payload.sub !== "string" || !payload.sub) return null;
-      sessionId = payload.sub;
-    } catch {
-      return null;
-    }
-    const now = /* @__PURE__ */ new Date();
-    const rows = await db.select().from(sessions).where(and(eq(sessions.id, sessionId)));
-    const row = rows[0];
-    if (!row) return null;
-    if (row.expiresAt <= now) {
-      await db.delete(sessions).where(eq(sessions.id, sessionId));
-      return null;
-    }
-    return rowToSession(row);
+}
+
+// src/did/web-method.ts
+function buildDidWeb(config, agentId) {
+  const domain = config.domain.replace(/\//g, ":");
+  if (config.path) {
+    const path = config.path.replace(/\//g, ":").replace(/^:|:$/g, "");
+    return `did:web:${domain}:${path}:${agentId}`;
   }
-  async function revoke(sessionId) {
-    await db.delete(sessions).where(eq(sessions.id, sessionId));
+  return `did:web:${domain}:${agentId}`;
+}
+async function generateDidWeb(config, agentId) {
+  const { publicKeyJwk, privateKeyJwk } = await generateDidKey();
+  const did = buildDidWeb(config, agentId);
+  const didDocument = buildDidDocument(did, publicKeyJwk);
+  return {
+    did,
+    publicKeyJwk,
+    privateKeyJwk,
+    didDocument
+  };
+}
+function getDidWebUrl(did) {
+  if (!did.startsWith("did:web:")) {
+    throw new Error(`Not a did:web identifier: ${did}`);
   }
-  async function revokeAll(userId) {
-    await db.delete(sessions).where(eq(sessions.userId, userId));
+  const methodSpecific = did.slice("did:web:".length);
+  const parts = methodSpecific.split(":");
+  const decoded = parts.map((p2) => decodeURIComponent(p2));
+  if (decoded.length === 1) {
+    return `https://${decoded[0]}/.well-known/did.json`;
   }
-  async function list(userId) {
-    const now = /* @__PURE__ */ new Date();
-    const rows = await db.select().from(sessions).where(and(eq(sessions.userId, userId)));
-    return rows.filter((row) => row.expiresAt > now).sort((a, b) => b.createdAt.getTime() - a.createdAt.getTime()).map(rowToSession);
+  const domain = decoded[0];
+  const pathSegments = decoded.slice(1);
+  return `https://${domain}/${pathSegments.join("/")}/did.json`;
+}
+async function resolveDidWeb(did) {
+  let url;
+  try {
+    url = getDidWebUrl(did);
+  } catch {
+    return null;
+  }
+  try {
+    const response = await fetch(url, {
+      headers: { Accept: "application/json" }
+    });
+    if (!response.ok) return null;
+    const doc = await response.json();
+    if (!doc["@context"] || !doc.id) return null;
+    return doc;
+  } catch {
+    return null;
   }
-  return { create, validate, revoke, revokeAll, list };
 }
 
-// src/kavach.ts
-async function createKavach(config) {
-  const authAdapter = config.auth?.adapter ?? null;
+// src/did/module.ts
+function createDidModule(db, config) {
+  async function generateKey(agentId) {
+    const keyPair = await generateDidKey();
+    const now = /* @__PURE__ */ new Date();
+    await db.insert(agentDids).values({
+      agentId,
+      did: keyPair.did,
+      method: "key",
+      publicKeyJwk: JSON.stringify(keyPair.publicKeyJwk),
+      didDocument: JSON.stringify(keyPair.didDocument),
+      createdAt: now
+    });
+    const agentDid = {
+      agentId,
+      did: keyPair.did,
+      method: "key",
+      publicKeyJwk: keyPair.publicKeyJwk,
+      didDocument: keyPair.didDocument,
+      createdAt: now
+    };
+    return { agentDid, privateKeyJwk: keyPair.privateKeyJwk };
+  }
+  async function generateWeb(agentId) {
+    if (!config?.web) {
+      throw new Error(
+        "did:web requires a web config (domain). Pass { web: { domain: 'example.com' } } to createDidModule()."
+      );
+    }
+    const keyPair = await generateDidWeb(config.web, agentId);
+    const now = /* @__PURE__ */ new Date();
+    await db.insert(agentDids).values({
+      agentId,
+      did: keyPair.did,
+      method: "web",
+      publicKeyJwk: JSON.stringify(keyPair.publicKeyJwk),
+      didDocument: JSON.stringify(keyPair.didDocument),
+      createdAt: now
+    });
+    const agentDid = {
+      agentId,
+      did: keyPair.did,
+      method: "web",
+      publicKeyJwk: keyPair.publicKeyJwk,
+      didDocument: keyPair.didDocument,
+      createdAt: now
+    };
+    return { agentDid, privateKeyJwk: keyPair.privateKeyJwk };
+  }
+  async function resolve(did) {
+    if (did.startsWith("did:key:")) {
+      return resolveDidKey(did);
+    }
+    if (did.startsWith("did:web:")) {
+      return resolveDidWeb(did);
+    }
+    return null;
+  }
+  async function getAgentDid(agentId) {
+    const rows = await db.select().from(agentDids).where(eq(agentDids.agentId, agentId));
+    const row = rows[0];
+    if (!row) return null;
+    return {
+      agentId: row.agentId,
+      did: row.did,
+      method: row.method,
+      publicKeyJwk: JSON.parse(row.publicKeyJwk),
+      didDocument: JSON.parse(row.didDocument),
+      createdAt: row.createdAt
+    };
+  }
+  async function sign(agentId, payload, privateKeyJwk) {
+    const agentDid = await getAgentDid(agentId);
+    if (!agentDid) {
+      throw new Error(`No DID found for agent "${agentId}". Call generateKey() first.`);
+    }
+    return signPayload(payload, privateKeyJwk, agentDid.did);
+  }
+  async function verify(jws, did) {
+    if (!did) {
+      return {
+        valid: false,
+        error: "A DID is required to look up the public key for verification."
+      };
+    }
+    const rows = await db.select().from(agentDids).where(eq(agentDids.did, did));
+    const row = rows[0];
+    if (!row) {
+      return {
+        valid: false,
+        error: `No stored public key found for DID "${did}"`
+      };
+    }
+    const publicKeyJwk = JSON.parse(row.publicKeyJwk);
+    return verifyPayload(jws, publicKeyJwk);
+  }
+  async function createPresentationForAgent(options) {
+    const agentDid = await getAgentDid(options.agentId);
+    if (!agentDid) {
+      throw new Error(`No DID found for agent "${options.agentId}". Call generateKey() first.`);
+    }
+    return createPresentation({
+      agentId: options.agentId,
+      did: agentDid.did,
+      privateKeyJwk: options.privateKeyJwk,
+      capabilities: options.capabilities,
+      audience: options.audience,
+      expiresIn: options.expiresIn
+    });
+  }
+  async function verifyPresentationForAgent(jwt) {
+    const parts = jwt.split(".");
+    if (parts.length !== 3) {
+      return { valid: false, error: "Malformed JWT: expected 3 parts" };
+    }
+    let issuerDid;
+    try {
+      const payloadPart = parts[1] ?? "";
+      const padded = payloadPart.replace(/-/g, "+").replace(/_/g, "/");
+      const padLen = (4 - padded.length % 4) % 4;
+      const decoded = atob(padded + "=".repeat(padLen));
+      const claims = JSON.parse(decoded);
+      issuerDid = typeof claims.iss === "string" ? claims.iss : void 0;
+    } catch {
+      return { valid: false, error: "Failed to decode JWT payload" };
+    }
+    if (!issuerDid) {
+      return { valid: false, error: "JWT missing 'iss' claim" };
+    }
+    const rows = await db.select().from(agentDids).where(eq(agentDids.did, issuerDid));
+    const row = rows[0];
+    if (!row) {
+      return {
+        valid: false,
+        error: `No stored public key found for DID "${issuerDid}"`
+      };
+    }
+    const publicKeyJwk = JSON.parse(row.publicKeyJwk);
+    const result = await verifyPresentation(jwt, publicKeyJwk);
+    if (!result.valid) {
+      return { valid: false, error: result.error };
+    }
+    return {
+      valid: true,
+      issuer: result.did,
+      payload: void 0,
+      capabilities: result.capabilities
+    };
+  }
+  return {
+    generateKey,
+    generateWeb,
+    resolve,
+    getAgentDid,
+    sign,
+    verify,
+    createPresentation: createPresentationForAgent,
+    verifyPresentation: verifyPresentationForAgent
+  };
+}
+
+// src/email/templates.ts
+var OUTER_STYLES = 'font-family:Inter,-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;background:#f4f4f5;margin:0;padding:0;';
+var CONTAINER_STYLES = "max-width:560px;margin:32px auto;background:#ffffff;border-radius:8px;overflow:hidden;";
+var HEADER_STYLES = "background:#C9A84C;padding:24px 32px;";
+var HEADER_H1_STYLES = "color:#ffffff;margin:0;font-size:20px;font-weight:600;letter-spacing:-0.3px;";
+var BODY_STYLES = "padding:32px;";
+var P_STYLES = "margin:0 0 16px;color:#3f3f46;font-size:15px;line-height:1.6;";
+var CODE_STYLES = "display:inline-block;background:#fef9ec;border:1px solid #e9c97e;border-radius:6px;padding:12px 24px;font-family:JetBrains Mono,monospace;font-size:24px;font-weight:700;letter-spacing:4px;color:#8B6914;";
+var BUTTON_STYLES = "display:inline-block;background:#C9A84C;color:#ffffff;text-decoration:none;padding:12px 24px;border-radius:6px;font-size:15px;font-weight:600;";
+var FOOTER_STYLES = "border-top:1px solid #e4e4e7;padding:16px 32px;color:#a1a1aa;font-size:13px;";
+function html(appName, title, body) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>${title}</title></head>
+<body style="${OUTER_STYLES}">
+<table width="100%" cellpadding="0" cellspacing="0" border="0"><tr><td>
+<div style="${CONTAINER_STYLES}">
+  <div style="${HEADER_STYLES}"><h1 style="${HEADER_H1_STYLES}">${appName}</h1></div>
+  <div style="${BODY_STYLES}">${body}</div>
+  <div style="${FOOTER_STYLES}">You received this email because of activity on your ${appName} account.</div>
+</div>
+</td></tr></table>
+</body>
+</html>`;
+}
+function p(content) {
+  return `<p style="${P_STYLES}">${content}</p>`;
+}
+function button(url, label) {
+  return `<p style="margin:24px 0;"><a href="${url}" style="${BUTTON_STYLES}">${label}</a></p>`;
+}
+function code(value) {
+  return `<p style="margin:24px 0;"><span style="${CODE_STYLES}">${value}</span></p>`;
+}
+function verificationTemplate(appName, appUrl, vars) {
+  const email = vars.email ?? "";
+  const verifyUrl = vars.verifyUrl ?? `${appUrl}/verify?token=${vars.token ?? ""}`;
+  return {
+    subject: `Verify your email - ${appName}`,
+    text: [
+      `Verify your email address`,
+      ``,
+      `Hi${email ? ` ${email}` : ""},`,
+      ``,
+      `Please verify your email address by visiting the link below:`,
+      ``,
+      verifyUrl,
+      ``,
+      `This link expires in 24 hours. If you did not create an account, you can ignore this email.`
+    ].join("\n"),
+    html: html(
+      appName,
+      `Verify your email`,
+      [
+        p(`Hi${email ? ` <strong>${email}</strong>` : ""},`),
+        p("Please verify your email address to complete your sign-up."),
+        button(verifyUrl, "Verify email"),
+        p(`Or copy this link: <a href="${verifyUrl}" style="color:#C9A84C;">${verifyUrl}</a>`),
+        p(
+          `This link expires in 24 hours. If you did not create an account, you can safely ignore this email.`
+        )
+      ].join("")
+    )
+  };
+}
+function passwordResetTemplate(appName, appUrl, vars) {
+  const email = vars.email ?? "";
+  const resetUrl = vars.resetUrl ?? `${appUrl}/reset-password?token=${vars.token ?? ""}`;
+  return {
+    subject: `Reset your password - ${appName}`,
+    text: [
+      `Reset your password`,
+      ``,
+      `Hi${email ? ` ${email}` : ""},`,
+      ``,
+      `We received a request to reset your password. Click the link below to proceed:`,
+      ``,
+      resetUrl,
+      ``,
+      `This link expires in 1 hour. If you did not request a password reset, you can ignore this email.`
+    ].join("\n"),
+    html: html(
+      appName,
+      `Reset your password`,
+      [
+        p(`Hi${email ? ` <strong>${email}</strong>` : ""},`),
+        p("We received a request to reset your password."),
+        button(resetUrl, "Reset password"),
+        p(`Or copy this link: <a href="${resetUrl}" style="color:#C9A84C;">${resetUrl}</a>`),
+        p(
+          `This link expires in 1 hour. If you did not request a password reset, you can safely ignore this email.`
+        )
+      ].join("")
+    )
+  };
+}
+function magicLinkTemplate(appName, _appUrl, vars) {
+  const email = vars.email ?? "";
+  const url = vars.url ?? "";
+  return {
+    subject: `Sign in to ${appName}`,
+    text: [
+      `Sign in to ${appName}`,
+      ``,
+      `Hi${email ? ` ${email}` : ""},`,
+      ``,
+      `Click the link below to sign in to your account. This link expires in 15 minutes and can only be used once.`,
+      ``,
+      url
+    ].join("\n"),
+    html: html(
+      appName,
+      `Sign in to ${appName}`,
+      [
+        p(`Hi${email ? ` <strong>${email}</strong>` : ""},`),
+        p(
+          "Click the button below to sign in. This link expires in 15 minutes and can only be used once."
+        ),
+        button(url, `Sign in to ${appName}`),
+        p(`Or copy this link: <a href="${url}" style="color:#C9A84C;">${url}</a>`)
+      ].join("")
+    )
+  };
+}
+function emailOtpTemplate(appName, _appUrl, vars) {
+  const email = vars.email ?? "";
+  const otpCode = vars.code ?? "";
+  return {
+    subject: `Your verification code: ${otpCode}`,
+    text: [
+      `Your verification code`,
+      ``,
+      `Hi${email ? ` ${email}` : ""},`,
+      ``,
+      `Your ${appName} verification code is:`,
+      ``,
+      otpCode,
+      ``,
+      `This code expires in 10 minutes. Do not share it with anyone.`
+    ].join("\n"),
+    html: html(
+      appName,
+      `Your verification code`,
+      [
+        p(`Hi${email ? ` <strong>${email}</strong>` : ""},`),
+        p(`Your ${appName} verification code is:`),
+        code(otpCode),
+        p("This code expires in 10 minutes. Do not share it with anyone.")
+      ].join("")
+    )
+  };
+}
+function invitationTemplate(appName, _appUrl, vars) {
+  const email = vars.email ?? "";
+  const orgName = vars.orgName ?? "an organization";
+  const inviteUrl = vars.inviteUrl ?? "";
+  return {
+    subject: `You've been invited to ${orgName}`,
+    text: [
+      `You've been invited to ${orgName}`,
+      ``,
+      `Hi${email ? ` ${email}` : ""},`,
+      ``,
+      `You've been invited to join ${orgName} on ${appName}. Click the link below to accept:`,
+      ``,
+      inviteUrl,
+      ``,
+      `If you were not expecting this invitation, you can ignore this email.`
+    ].join("\n"),
+    html: html(
+      appName,
+      `You've been invited to ${orgName}`,
+      [
+        p(`Hi${email ? ` <strong>${email}</strong>` : ""},`),
+        p(`You've been invited to join <strong>${orgName}</strong> on ${appName}.`),
+        button(inviteUrl, `Accept invitation`),
+        p(`Or copy this link: <a href="${inviteUrl}" style="color:#C9A84C;">${inviteUrl}</a>`),
+        p("If you were not expecting this invitation, you can safely ignore this email.")
+      ].join("")
+    )
+  };
+}
+function welcomeTemplate(appName, appUrl, vars) {
+  const email = vars.email ?? "";
+  const name = vars.name ?? email;
+  return {
+    subject: `Welcome to ${appName}`,
+    text: [
+      `Welcome to ${appName}`,
+      ``,
+      `Hi ${name},`,
+      ``,
+      `Your account is ready. Head over to ${appUrl} to get started.`,
+      ``,
+      `If you have any questions, reply to this email.`
+    ].join("\n"),
+    html: html(
+      appName,
+      `Welcome to ${appName}`,
+      [
+        p(`Hi <strong>${name}</strong>,`),
+        p(`Your account is ready. Welcome to ${appName}.`),
+        button(appUrl, `Get started`),
+        p("If you have any questions, just reply to this email.")
+      ].join("")
+    )
+  };
+}
+function createEmailTemplates(config = {}) {
+  const appName = config.appName ?? "KavachOS";
+  const appUrl = config.appUrl ?? "http://localhost:3000";
+  const overrides = config.templates ?? {};
+  function render(name, vars) {
+    const override = overrides[name];
+    if (override) {
+      return override(vars);
+    }
+    switch (name) {
+      case "verification":
+        return verificationTemplate(appName, appUrl, vars);
+      case "passwordReset":
+        return passwordResetTemplate(appName, appUrl, vars);
+      case "magicLink":
+        return magicLinkTemplate(appName, appUrl, vars);
+      case "emailOtp":
+        return emailOtpTemplate(appName, appUrl, vars);
+      case "invitation":
+        return invitationTemplate(appName, appUrl, vars);
+      case "welcome":
+        return welcomeTemplate(appName, appUrl, vars);
+    }
+  }
+  return { render };
+}
+
+// src/hooks/lifecycle.ts
+function classifyViolation(reason) {
+  const r = reason?.toLowerCase() ?? "";
+  if (r.includes("rate") || r.includes("rate_limited")) return "rate_limited";
+  if (r.includes("ip") || r.includes("allowlist")) return "ip_blocked";
+  if (r.includes("time") || r.includes("window")) return "time_restricted";
+  if (r.includes("approval")) return "approval_required";
+  return "permission_denied";
+}
+
+// src/i18n/locales/en.ts
+var en = {
+  // Auth errors
+  "auth.invalidCredentials": "Invalid email or password.",
+  "auth.emailNotVerified": "Please verify your email address before signing in.",
+  "auth.accountLocked": "Your account has been locked. Contact support to unlock it.",
+  "auth.rateLimited": "Too many requests. Try again in {{retryAfter}} seconds.",
+  "auth.emailAlreadyExists": "An account with that email already exists.",
+  "auth.weakPassword": "Password is too weak. Use at least 8 characters with a mix of letters, numbers, and symbols.",
+  "auth.tokenExpired": "This link has expired. Request a new one.",
+  "auth.tokenInvalid": "This link is invalid or has already been used.",
+  "auth.unauthorized": "You are not authorized to perform this action.",
+  // Agent errors
+  "agent.notFound": "Agent not found.",
+  "agent.revoked": "This agent's access has been revoked.",
+  "agent.limitExceeded": "Agent limit reached for this account.",
+  "agent.permissionDenied": "Agent does not have permission to perform this action.",
+  // 2FA
+  "twoFactor.invalidCode": "Invalid verification code. Check your authenticator app and try again.",
+  "twoFactor.alreadyEnabled": "Two-factor authentication is already enabled on this account.",
+  "twoFactor.notEnabled": "Two-factor authentication is not enabled on this account.",
+  // Email subjects
+  "email.verification.subject": "Verify your email address",
+  "email.passwordReset.subject": "Reset your password",
+  "email.magicLink.subject": "Your sign-in link",
+  "email.otp.subject": "Your one-time code",
+  "email.invitation.subject": "You have been invited to join {{orgName}}",
+  "email.welcome.subject": "Welcome to {{appName}}",
+  // General
+  "general.serverError": "Something went wrong. Try again later.",
+  "general.badRequest": "The request could not be processed.",
+  "general.notFound": "The requested resource was not found."
+};
+
+// src/i18n/i18n.ts
+function interpolate(template, vars) {
+  return template.replace(/\{\{(\w+)\}\}/g, (match, key) => {
+    return Object.hasOwn(vars, key) ? vars[key] ?? match : `{{${key}}}`;
+  });
+}
+function resolveLocale(requested, registry, defaultLocale) {
+  if (registry.has(requested)) return requested;
+  const prefix = requested.split("-")[0];
+  if (prefix && registry.has(prefix)) return prefix;
+  if (registry.has(defaultLocale)) return defaultLocale;
+  return "en";
+}
+function createI18n(config = {}) {
+  const defaultLocale = config.defaultLocale ?? "en";
+  const registry = /* @__PURE__ */ new Map();
+  registry.set("en", { ...en });
+  if (config.translations) {
+    for (const [locale, keys] of Object.entries(config.translations)) {
+      const existing = registry.get(locale) ?? {};
+      registry.set(locale, { ...existing, ...keys });
+    }
+  }
+  function lookup(key, locale) {
+    const resolved = resolveLocale(locale, registry, defaultLocale);
+    const localeMap = registry.get(resolved);
+    if (localeMap && key in localeMap) {
+      return localeMap[key];
+    }
+    const englishMap = registry.get("en");
+    if (englishMap && key in englishMap) {
+      return englishMap[key];
+    }
+    return key;
+  }
+  function t(key, varsOrLocale, maybeLocale) {
+    if (typeof varsOrLocale === "string" || varsOrLocale === void 0) {
+      const locale2 = varsOrLocale ?? defaultLocale;
+      return lookup(key, locale2);
+    }
+    const locale = maybeLocale ?? defaultLocale;
+    const raw = lookup(key, locale);
+    return interpolate(raw, varsOrLocale);
+  }
+  function addLocale(locale, translations) {
+    const existing = registry.get(locale) ?? {};
+    registry.set(locale, { ...existing, ...translations });
+  }
+  function getLocales() {
+    return Array.from(registry.keys());
+  }
+  return { t, addLocale, getLocales };
+}
+
+// src/i18n/locales/de.ts
+var de = {
+  // Auth errors
+  "auth.invalidCredentials": "Ung\xFCltige E-Mail-Adresse oder falsches Passwort.",
+  "auth.emailNotVerified": "Bitte best\xE4tige deine E-Mail-Adresse, bevor du dich anmeldest.",
+  "auth.accountLocked": "Dein Konto wurde gesperrt. Wende dich an den Support, um es freizuschalten.",
+  "auth.rateLimited": "Zu viele Anfragen. Versuche es in {{retryAfter}} Sekunden erneut.",
+  "auth.emailAlreadyExists": "Ein Konto mit dieser E-Mail-Adresse existiert bereits.",
+  "auth.weakPassword": "Das Passwort ist zu schwach. Verwende mindestens 8 Zeichen mit Buchstaben, Zahlen und Symbolen.",
+  "auth.tokenExpired": "Dieser Link ist abgelaufen. Fordere einen neuen an.",
+  "auth.tokenInvalid": "Dieser Link ist ung\xFCltig oder wurde bereits verwendet.",
+  "auth.unauthorized": "Du bist nicht berechtigt, diese Aktion auszuf\xFChren.",
+  // Agent errors
+  "agent.notFound": "Agent nicht gefunden.",
+  "agent.revoked": "Der Zugriff dieses Agenten wurde widerrufen.",
+  "agent.limitExceeded": "Agentenlimit f\xFCr dieses Konto erreicht.",
+  "agent.permissionDenied": "Der Agent hat keine Berechtigung f\xFCr diese Aktion.",
+  // 2FA
+  "twoFactor.invalidCode": "Ung\xFCltiger Best\xE4tigungscode. \xDCberpr\xFCfe deine Authentifizierungs-App und versuche es erneut.",
+  "twoFactor.alreadyEnabled": "Die Zwei-Faktor-Authentifizierung ist f\xFCr dieses Konto bereits aktiviert.",
+  "twoFactor.notEnabled": "Die Zwei-Faktor-Authentifizierung ist f\xFCr dieses Konto nicht aktiviert.",
+  // Email subjects
+  "email.verification.subject": "Best\xE4tige deine E-Mail-Adresse",
+  "email.passwordReset.subject": "Setze dein Passwort zur\xFCck",
+  "email.magicLink.subject": "Dein Anmelde-Link",
+  "email.otp.subject": "Dein Einmalcode",
+  "email.invitation.subject": "Du wurdest eingeladen, {{orgName}} beizutreten",
+  "email.welcome.subject": "Willkommen bei {{appName}}",
+  // General
+  "general.serverError": "Etwas ist schiefgelaufen. Versuche es sp\xE4ter erneut.",
+  "general.badRequest": "Die Anfrage konnte nicht verarbeitet werden.",
+  "general.notFound": "Die angeforderte Ressource wurde nicht gefunden."
+};
+
+// src/i18n/locales/es.ts
+var es = {
+  // Auth errors
+  "auth.invalidCredentials": "Correo electr\xF3nico o contrase\xF1a incorrectos.",
+  "auth.emailNotVerified": "Verifica tu direcci\xF3n de correo electr\xF3nico antes de iniciar sesi\xF3n.",
+  "auth.accountLocked": "Tu cuenta ha sido bloqueada. Contacta con soporte para desbloquearla.",
+  "auth.rateLimited": "Demasiadas solicitudes. Int\xE9ntalo de nuevo en {{retryAfter}} segundos.",
+  "auth.emailAlreadyExists": "Ya existe una cuenta con ese correo electr\xF3nico.",
+  "auth.weakPassword": "La contrase\xF1a es demasiado d\xE9bil. Usa al menos 8 caracteres con letras, n\xFAmeros y s\xEDmbolos.",
+  "auth.tokenExpired": "Este enlace ha caducado. Solicita uno nuevo.",
+  "auth.tokenInvalid": "Este enlace no es v\xE1lido o ya ha sido utilizado.",
+  "auth.unauthorized": "No tienes autorizaci\xF3n para realizar esta acci\xF3n.",
+  // Agent errors
+  "agent.notFound": "Agente no encontrado.",
+  "agent.revoked": "El acceso de este agente ha sido revocado.",
+  "agent.limitExceeded": "L\xEDmite de agentes alcanzado para esta cuenta.",
+  "agent.permissionDenied": "El agente no tiene permiso para realizar esta acci\xF3n.",
+  // 2FA
+  "twoFactor.invalidCode": "C\xF3digo de verificaci\xF3n incorrecto. Comprueba tu aplicaci\xF3n autenticadora e int\xE9ntalo de nuevo.",
+  "twoFactor.alreadyEnabled": "La autenticaci\xF3n de dos factores ya est\xE1 activada en esta cuenta.",
+  "twoFactor.notEnabled": "La autenticaci\xF3n de dos factores no est\xE1 activada en esta cuenta.",
+  // Email subjects
+  "email.verification.subject": "Verifica tu direcci\xF3n de correo electr\xF3nico",
+  "email.passwordReset.subject": "Restablece tu contrase\xF1a",
+  "email.magicLink.subject": "Tu enlace de acceso",
+  "email.otp.subject": "Tu c\xF3digo de un solo uso",
+  "email.invitation.subject": "Has sido invitado a unirte a {{orgName}}",
+  "email.welcome.subject": "Bienvenido a {{appName}}",
+  // General
+  "general.serverError": "Algo sali\xF3 mal. Int\xE9ntalo de nuevo m\xE1s tarde.",
+  "general.badRequest": "La solicitud no pudo procesarse.",
+  "general.notFound": "El recurso solicitado no fue encontrado."
+};
+
+// src/i18n/locales/fr.ts
+var fr = {
+  // Auth errors
+  "auth.invalidCredentials": "Adresse e-mail ou mot de passe incorrect.",
+  "auth.emailNotVerified": "Veuillez v\xE9rifier votre adresse e-mail avant de vous connecter.",
+  "auth.accountLocked": "Votre compte a \xE9t\xE9 verrouill\xE9. Contactez le support pour le d\xE9verrouiller.",
+  "auth.rateLimited": "Trop de tentatives. R\xE9essayez dans {{retryAfter}} secondes.",
+  "auth.emailAlreadyExists": "Un compte avec cette adresse e-mail existe d\xE9j\xE0.",
+  "auth.weakPassword": "Le mot de passe est trop faible. Utilisez au moins 8 caract\xE8res avec des lettres, des chiffres et des symboles.",
+  "auth.tokenExpired": "Ce lien a expir\xE9. Demandez-en un nouveau.",
+  "auth.tokenInvalid": "Ce lien est invalide ou a d\xE9j\xE0 \xE9t\xE9 utilis\xE9.",
+  "auth.unauthorized": "Vous n'\xEAtes pas autoris\xE9 \xE0 effectuer cette action.",
+  // Agent errors
+  "agent.notFound": "Agent introuvable.",
+  "agent.revoked": "L'acc\xE8s de cet agent a \xE9t\xE9 r\xE9voqu\xE9.",
+  "agent.limitExceeded": "Limite d'agents atteinte pour ce compte.",
+  "agent.permissionDenied": "L'agent n'est pas autoris\xE9 \xE0 effectuer cette action.",
+  // 2FA
+  "twoFactor.invalidCode": "Code de v\xE9rification invalide. V\xE9rifiez votre application d'authentification et r\xE9essayez.",
+  "twoFactor.alreadyEnabled": "L'authentification \xE0 deux facteurs est d\xE9j\xE0 activ\xE9e sur ce compte.",
+  "twoFactor.notEnabled": "L'authentification \xE0 deux facteurs n'est pas activ\xE9e sur ce compte.",
+  // Email subjects
+  "email.verification.subject": "V\xE9rifiez votre adresse e-mail",
+  "email.passwordReset.subject": "R\xE9initialisez votre mot de passe",
+  "email.magicLink.subject": "Votre lien de connexion",
+  "email.otp.subject": "Votre code \xE0 usage unique",
+  "email.invitation.subject": "Vous avez \xE9t\xE9 invit\xE9 \xE0 rejoindre {{orgName}}",
+  "email.welcome.subject": "Bienvenue sur {{appName}}",
+  // General
+  "general.serverError": "Une erreur s'est produite. R\xE9essayez plus tard.",
+  "general.badRequest": "La requ\xEAte n'a pas pu \xEAtre trait\xE9e.",
+  "general.notFound": "La ressource demand\xE9e est introuvable."
+};
+
+// src/i18n/locales/ja.ts
+var ja = {
+  // Auth errors
+  "auth.invalidCredentials": "\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u307E\u305F\u306F\u30D1\u30B9\u30EF\u30FC\u30C9\u304C\u6B63\u3057\u304F\u3042\u308A\u307E\u305B\u3093\u3002",
+  "auth.emailNotVerified": "\u30B5\u30A4\u30F3\u30A4\u30F3\u3059\u308B\u524D\u306B\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u78BA\u8A8D\u3057\u3066\u304F\u3060\u3055\u3044\u3002",
+  "auth.accountLocked": "\u30A2\u30AB\u30A6\u30F3\u30C8\u304C\u30ED\u30C3\u30AF\u3055\u308C\u3066\u3044\u307E\u3059\u3002\u30B5\u30DD\u30FC\u30C8\u306B\u9023\u7D61\u3057\u3066\u30ED\u30C3\u30AF\u3092\u89E3\u9664\u3057\u3066\u304F\u3060\u3055\u3044\u3002",
+  "auth.rateLimited": "\u30EA\u30AF\u30A8\u30B9\u30C8\u304C\u591A\u3059\u304E\u307E\u3059\u3002{{retryAfter}}\u79D2\u5F8C\u306B\u518D\u8A66\u884C\u3057\u3066\u304F\u3060\u3055\u3044\u3002",
+  "auth.emailAlreadyExists": "\u305D\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u306E\u30A2\u30AB\u30A6\u30F3\u30C8\u306F\u3059\u3067\u306B\u5B58\u5728\u3057\u307E\u3059\u3002",
+  "auth.weakPassword": "\u30D1\u30B9\u30EF\u30FC\u30C9\u304C\u5F31\u3059\u304E\u307E\u3059\u3002\u6587\u5B57\u3001\u6570\u5B57\u3001\u8A18\u53F7\u3092\u7D44\u307F\u5408\u308F\u305B\u305F8\u6587\u5B57\u4EE5\u4E0A\u306E\u30D1\u30B9\u30EF\u30FC\u30C9\u3092\u4F7F\u7528\u3057\u3066\u304F\u3060\u3055\u3044\u3002",
+  "auth.tokenExpired": "\u3053\u306E\u30EA\u30F3\u30AF\u306E\u6709\u52B9\u671F\u9650\u304C\u5207\u308C\u3066\u3044\u307E\u3059\u3002\u65B0\u3057\u3044\u30EA\u30F3\u30AF\u3092\u30EA\u30AF\u30A8\u30B9\u30C8\u3057\u3066\u304F\u3060\u3055\u3044\u3002",
+  "auth.tokenInvalid": "\u3053\u306E\u30EA\u30F3\u30AF\u306F\u7121\u52B9\u304B\u3001\u3059\u3067\u306B\u4F7F\u7528\u3055\u308C\u3066\u3044\u307E\u3059\u3002",
+  "auth.unauthorized": "\u3053\u306E\u64CD\u4F5C\u3092\u5B9F\u884C\u3059\u308B\u6A29\u9650\u304C\u3042\u308A\u307E\u305B\u3093\u3002",
+  // Agent errors
+  "agent.notFound": "\u30A8\u30FC\u30B8\u30A7\u30F3\u30C8\u304C\u898B\u3064\u304B\u308A\u307E\u305B\u3093\u3002",
+  "agent.revoked": "\u3053\u306E\u30A8\u30FC\u30B8\u30A7\u30F3\u30C8\u306E\u30A2\u30AF\u30BB\u30B9\u304C\u53D6\u308A\u6D88\u3055\u308C\u307E\u3057\u305F\u3002",
+  "agent.limitExceeded": "\u3053\u306E\u30A2\u30AB\u30A6\u30F3\u30C8\u306E\u30A8\u30FC\u30B8\u30A7\u30F3\u30C8\u4E0A\u9650\u306B\u9054\u3057\u307E\u3057\u305F\u3002",
+  "agent.permissionDenied": "\u30A8\u30FC\u30B8\u30A7\u30F3\u30C8\u306B\u306F\u3053\u306E\u64CD\u4F5C\u3092\u5B9F\u884C\u3059\u308B\u6A29\u9650\u304C\u3042\u308A\u307E\u305B\u3093\u3002",
+  // 2FA
+  "twoFactor.invalidCode": "\u78BA\u8A8D\u30B3\u30FC\u30C9\u304C\u6B63\u3057\u304F\u3042\u308A\u307E\u305B\u3093\u3002\u8A8D\u8A3C\u30A2\u30D7\u30EA\u3092\u78BA\u8A8D\u3057\u3066\u518D\u8A66\u884C\u3057\u3066\u304F\u3060\u3055\u3044\u3002",
+  "twoFactor.alreadyEnabled": "\u3053\u306E\u30A2\u30AB\u30A6\u30F3\u30C8\u3067\u306F\u4E8C\u8981\u7D20\u8A8D\u8A3C\u304C\u3059\u3067\u306B\u6709\u52B9\u306B\u306A\u3063\u3066\u3044\u307E\u3059\u3002",
+  "twoFactor.notEnabled": "\u3053\u306E\u30A2\u30AB\u30A6\u30F3\u30C8\u3067\u306F\u4E8C\u8981\u7D20\u8A8D\u8A3C\u304C\u6709\u52B9\u306B\u306A\u3063\u3066\u3044\u307E\u305B\u3093\u3002",
+  // Email subjects
+  "email.verification.subject": "\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u78BA\u8A8D\u3057\u3066\u304F\u3060\u3055\u3044",
+  "email.passwordReset.subject": "\u30D1\u30B9\u30EF\u30FC\u30C9\u3092\u30EA\u30BB\u30C3\u30C8",
+  "email.magicLink.subject": "\u30B5\u30A4\u30F3\u30A4\u30F3\u30EA\u30F3\u30AF",
+  "email.otp.subject": "\u30EF\u30F3\u30BF\u30A4\u30E0\u30B3\u30FC\u30C9",
+  "email.invitation.subject": "{{orgName}}\u3078\u306E\u62DB\u5F85",
+  "email.welcome.subject": "{{appName}}\u3078\u3088\u3046\u3053\u305D",
+  // General
+  "general.serverError": "\u554F\u984C\u304C\u767A\u751F\u3057\u307E\u3057\u305F\u3002\u5F8C\u3067\u3082\u3046\u4E00\u5EA6\u304A\u8A66\u3057\u304F\u3060\u3055\u3044\u3002",
+  "general.badRequest": "\u30EA\u30AF\u30A8\u30B9\u30C8\u3092\u51E6\u7406\u3067\u304D\u307E\u305B\u3093\u3067\u3057\u305F\u3002",
+  "general.notFound": "\u30EA\u30AF\u30A8\u30B9\u30C8\u3055\u308C\u305F\u30EA\u30BD\u30FC\u30B9\u304C\u898B\u3064\u304B\u308A\u307E\u305B\u3093\u3002"
+};
+
+// src/i18n/locales/zh.ts
+var zh = {
+  // Auth errors
+  "auth.invalidCredentials": "\u90AE\u7BB1\u6216\u5BC6\u7801\u4E0D\u6B63\u786E\u3002",
+  "auth.emailNotVerified": "\u8BF7\u5728\u767B\u5F55\u524D\u9A8C\u8BC1\u60A8\u7684\u7535\u5B50\u90AE\u4EF6\u5730\u5740\u3002",
+  "auth.accountLocked": "\u60A8\u7684\u8D26\u6237\u5DF2\u88AB\u9501\u5B9A\uFF0C\u8BF7\u8054\u7CFB\u652F\u6301\u56E2\u961F\u89E3\u9501\u3002",
+  "auth.rateLimited": "\u8BF7\u6C42\u8FC7\u4E8E\u9891\u7E41\uFF0C\u8BF7\u5728 {{retryAfter}} \u79D2\u540E\u91CD\u8BD5\u3002",
+  "auth.emailAlreadyExists": "\u8BE5\u90AE\u7BB1\u5730\u5740\u5DF2\u6CE8\u518C\u8D26\u6237\u3002",
+  "auth.weakPassword": "\u5BC6\u7801\u5F3A\u5EA6\u4E0D\u8DB3\uFF0C\u8BF7\u4F7F\u7528\u81F3\u5C11 8 \u4F4D\u5305\u542B\u5B57\u6BCD\u3001\u6570\u5B57\u548C\u7B26\u53F7\u7684\u5BC6\u7801\u3002",
+  "auth.tokenExpired": "\u6B64\u94FE\u63A5\u5DF2\u8FC7\u671F\uFF0C\u8BF7\u91CD\u65B0\u7533\u8BF7\u3002",
+  "auth.tokenInvalid": "\u6B64\u94FE\u63A5\u65E0\u6548\u6216\u5DF2\u88AB\u4F7F\u7528\u3002",
+  "auth.unauthorized": "\u60A8\u6CA1\u6709\u6743\u9650\u6267\u884C\u6B64\u64CD\u4F5C\u3002",
+  // Agent errors
+  "agent.notFound": "\u672A\u627E\u5230\u8BE5\u4EE3\u7406\u3002",
+  "agent.revoked": "\u8BE5\u4EE3\u7406\u7684\u8BBF\u95EE\u6743\u9650\u5DF2\u88AB\u64A4\u9500\u3002",
+  "agent.limitExceeded": "\u5DF2\u8FBE\u5230\u8BE5\u8D26\u6237\u7684\u4EE3\u7406\u6570\u91CF\u4E0A\u9650\u3002",
+  "agent.permissionDenied": "\u4EE3\u7406\u6CA1\u6709\u6267\u884C\u6B64\u64CD\u4F5C\u7684\u6743\u9650\u3002",
+  // 2FA
+  "twoFactor.invalidCode": "\u9A8C\u8BC1\u7801\u65E0\u6548\uFF0C\u8BF7\u68C0\u67E5\u60A8\u7684\u9A8C\u8BC1\u5E94\u7528\u5E76\u91CD\u8BD5\u3002",
+  "twoFactor.alreadyEnabled": "\u8BE5\u8D26\u6237\u5DF2\u542F\u7528\u53CC\u91CD\u9A8C\u8BC1\u3002",
+  "twoFactor.notEnabled": "\u8BE5\u8D26\u6237\u672A\u542F\u7528\u53CC\u91CD\u9A8C\u8BC1\u3002",
+  // Email subjects
+  "email.verification.subject": "\u8BF7\u9A8C\u8BC1\u60A8\u7684\u7535\u5B50\u90AE\u4EF6\u5730\u5740",
+  "email.passwordReset.subject": "\u91CD\u7F6E\u60A8\u7684\u5BC6\u7801",
+  "email.magicLink.subject": "\u60A8\u7684\u767B\u5F55\u94FE\u63A5",
+  "email.otp.subject": "\u60A8\u7684\u4E00\u6B21\u6027\u9A8C\u8BC1\u7801",
+  "email.invitation.subject": "\u60A8\u5DF2\u88AB\u9080\u8BF7\u52A0\u5165 {{orgName}}",
+  "email.welcome.subject": "\u6B22\u8FCE\u4F7F\u7528 {{appName}}",
+  // General
+  "general.serverError": "\u51FA\u73B0\u4E86\u4E00\u4E9B\u95EE\u9898\uFF0C\u8BF7\u7A0D\u540E\u518D\u8BD5\u3002",
+  "general.badRequest": "\u65E0\u6CD5\u5904\u7406\u8BE5\u8BF7\u6C42\u3002",
+  "general.notFound": "\u672A\u627E\u5230\u8BF7\u6C42\u7684\u8D44\u6E90\u3002"
+};
+
+// src/plugin/router.ts
+function matchPath(pattern, pathname) {
+  const patternParts = pattern.split("/");
+  const pathParts = pathname.split("/");
+  if (patternParts.length !== pathParts.length) return null;
+  const params = {};
+  for (let i = 0; i < patternParts.length; i++) {
+    const patternPart = patternParts[i];
+    const pathPart = pathParts[i];
+    if (patternPart === void 0 || pathPart === void 0) return null;
+    if (patternPart.startsWith(":")) {
+      const paramName = patternPart.slice(1);
+      params[paramName] = decodeURIComponent(pathPart);
+    } else if (patternPart !== pathPart) {
+      return null;
+    }
+  }
+  return params;
+}
+function createPluginRouter(endpoints) {
+  return {
+    async handle(request, basePath, endpointCtx) {
+      const url = new URL(request.url);
+      let pathname = url.pathname;
+      const base = basePath.endsWith("/") ? basePath.slice(0, -1) : basePath;
+      if (base && pathname.startsWith(base)) {
+        pathname = pathname.slice(base.length) || "/";
+      }
+      if (!pathname.startsWith("/")) {
+        pathname = `/${pathname}`;
+      }
+      if (pathname.length > 1 && pathname.endsWith("/")) {
+        pathname = pathname.slice(0, -1);
+      }
+      const method = request.method.toUpperCase();
+      for (const endpoint of endpoints) {
+        if (endpoint.method !== method) continue;
+        const params = matchPath(endpoint.path, pathname);
+        if (params === null) continue;
+        const enrichedUrl = new URL(request.url);
+        for (const [key, value] of Object.entries(params)) {
+          enrichedUrl.searchParams.set(`_param_${key}`, value);
+        }
+        const enrichedRequest = new Request(enrichedUrl.toString(), request);
+        return endpoint.handler(enrichedRequest, endpointCtx);
+      }
+      return null;
+    },
+    getEndpoints() {
+      return [...endpoints];
+    }
+  };
+}
+
+// src/plugin/runner.ts
+async function runMigrations(db, provider, statements) {
+  if (statements.length === 0) return;
+  if (provider === "sqlite") {
+    const session = db.session;
+    if (session?.client?.exec) {
+      session.client.exec(`${statements.join(";\n")};`);
+      return;
+    }
+    const anyDb2 = db;
+    for (const sql of statements) {
+      await anyDb2.run(sql);
+    }
+    return;
+  }
+  const anyDb = db;
+  if (provider === "postgres") {
+    const client = anyDb.$client ?? anyDb.session?.client;
+    if (!client) {
+      throw new Error(
+        "KavachOS plugin migrations: cannot access underlying pg client from Drizzle instance."
+      );
+    }
+    for (const sql of statements) {
+      await client.query(sql);
+    }
+    return;
+  }
+  if (provider === "mysql") {
+    const client = anyDb.$client ?? anyDb.session?.client;
+    if (!client) {
+      throw new Error(
+        "KavachOS plugin migrations: cannot access underlying mysql2 client from Drizzle instance."
+      );
+    }
+    for (const sql of statements) {
+      await client.execute(sql);
+    }
+    return;
+  }
+  throw new Error(`runMigrations: unsupported provider "${provider}"`);
+}
+async function initializePlugins(plugins, db, config) {
+  const registry = {
+    endpoints: [],
+    migrations: [],
+    hooks: {
+      onRequest: [],
+      onAuthenticate: [],
+      onSessionCreate: [],
+      onSessionRevoke: []
+    },
+    pluginContext: {}
+  };
+  for (const plugin of plugins) {
+    const pluginMigrations = [];
+    const ctx = {
+      db,
+      config,
+      addEndpoint(endpoint) {
+        registry.endpoints.push(endpoint);
+      },
+      addMigration(sql) {
+        pluginMigrations.push(sql);
+        registry.migrations.push(sql);
+      }
+    };
+    if (plugin.init) {
+      const result = await plugin.init(ctx);
+      if (result?.context) {
+        Object.assign(registry.pluginContext, result.context);
+      }
+    }
+    if (plugin.hooks) {
+      if (plugin.hooks.onRequest) {
+        registry.hooks.onRequest.push(plugin.hooks.onRequest);
+      }
+      if (plugin.hooks.onAuthenticate) {
+        registry.hooks.onAuthenticate.push(plugin.hooks.onAuthenticate);
+      }
+      if (plugin.hooks.onSessionCreate) {
+        registry.hooks.onSessionCreate.push(plugin.hooks.onSessionCreate);
+      }
+      if (plugin.hooks.onSessionRevoke) {
+        registry.hooks.onSessionRevoke.push(plugin.hooks.onSessionRevoke);
+      }
+    }
+    if (pluginMigrations.length > 0) {
+      await runMigrations(db, config.database.provider, pluginMigrations);
+    }
+  }
+  return registry;
+}
+function emptyUsage() {
+  return {
+    tokensCostToday: 0,
+    tokensCostThisMonth: 0,
+    callsToday: 0,
+    callsThisMonth: 0,
+    lastUpdated: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function rowToPolicy(row) {
+  return {
+    id: row.id,
+    agentId: row.agentId ?? void 0,
+    userId: row.userId ?? void 0,
+    tenantId: row.tenantId ?? void 0,
+    limits: row.limits ?? {},
+    currentUsage: row.currentUsage ?? emptyUsage(),
+    action: row.action,
+    status: row.status,
+    createdAt: row.createdAt
+  };
+}
+function isExceeded(limits, usage) {
+  if (limits.maxCallsPerDay !== void 0 && usage.callsToday >= limits.maxCallsPerDay) return true;
+  if (limits.maxCallsPerMonth !== void 0 && usage.callsThisMonth >= limits.maxCallsPerMonth)
+    return true;
+  if (limits.maxTokensCostPerDay !== void 0 && usage.tokensCostToday >= limits.maxTokensCostPerDay)
+    return true;
+  if (limits.maxTokensCostPerMonth !== void 0 && usage.tokensCostThisMonth >= limits.maxTokensCostPerMonth)
+    return true;
+  return false;
+}
+function createPolicyModule(db) {
+  async function create(input) {
+    const id = `pol_${randomUUID().replace(/-/g, "")}`;
+    const now = /* @__PURE__ */ new Date();
+    const usage = emptyUsage();
+    await db.insert(budgetPolicies).values({
+      id,
+      agentId: input.agentId ?? null,
+      userId: input.userId ?? null,
+      tenantId: input.tenantId ?? null,
+      limits: input.limits,
+      currentUsage: usage,
+      action: input.action,
+      status: "active",
+      createdAt: now
+    });
+    return {
+      id,
+      agentId: input.agentId,
+      userId: input.userId,
+      tenantId: input.tenantId,
+      limits: input.limits,
+      currentUsage: usage,
+      action: input.action,
+      status: "active",
+      createdAt: now
+    };
+  }
+  async function get(policyId) {
+    const rows = await db.select().from(budgetPolicies).where(eq(budgetPolicies.id, policyId)).limit(1);
+    const row = rows[0];
+    if (!row) return null;
+    return rowToPolicy(row);
+  }
+  async function list(filters) {
+    let query = db.select().from(budgetPolicies).$dynamic();
+    const conditions = [];
+    if (filters?.agentId !== void 0) {
+      conditions.push(
+        or(eq(budgetPolicies.agentId, filters.agentId), isNull(budgetPolicies.agentId))
+      );
+    }
+    if (filters?.userId !== void 0) {
+      conditions.push(or(eq(budgetPolicies.userId, filters.userId), isNull(budgetPolicies.userId)));
+    }
+    if (filters?.tenantId !== void 0) {
+      conditions.push(
+        or(eq(budgetPolicies.tenantId, filters.tenantId), isNull(budgetPolicies.tenantId))
+      );
+    }
+    if (conditions.length > 0) {
+      query = query.where(and(...conditions));
+    }
+    const rows = await query;
+    return rows.map(rowToPolicy);
+  }
+  async function update(policyId, updates) {
+    const existing = await get(policyId);
+    if (!existing) throw new Error(`Policy "${policyId}" not found.`);
+    await db.update(budgetPolicies).set({
+      limits: updates.limits ?? existing.limits,
+      currentUsage: updates.currentUsage ?? existing.currentUsage,
+      action: updates.action ?? existing.action,
+      status: updates.status ?? existing.status
+    }).where(eq(budgetPolicies.id, policyId));
+    const updated = await get(policyId);
+    if (!updated) throw new Error(`Policy "${policyId}" disappeared after update.`);
+    return updated;
+  }
+  async function remove(policyId) {
+    const existing = await get(policyId);
+    if (!existing) throw new Error(`Policy "${policyId}" not found.`);
+    await db.delete(budgetPolicies).where(eq(budgetPolicies.id, policyId));
+  }
+  async function checkBudget(agentId, tokensCost) {
+    const rows = await db.select().from(budgetPolicies).where(
+      and(
+        ne(budgetPolicies.status, "disabled"),
+        or(eq(budgetPolicies.agentId, agentId), isNull(budgetPolicies.agentId))
+      )
+    );
+    for (const row of rows) {
+      const policy = rowToPolicy(row);
+      const usage = { ...policy.currentUsage };
+      if (tokensCost !== void 0) {
+        usage.tokensCostToday += tokensCost;
+        usage.tokensCostThisMonth += tokensCost;
+      }
+      if (isExceeded(policy.limits, usage)) {
+        return {
+          allowed: policy.action === "warn",
+          reason: `Budget policy "${policy.id}" exceeded (action: ${policy.action})`,
+          policy
+        };
+      }
+    }
+    return { allowed: true };
+  }
+  async function recordUsage(agentId, tokensCost) {
+    const rows = await db.select().from(budgetPolicies).where(
+      and(
+        ne(budgetPolicies.status, "disabled"),
+        or(eq(budgetPolicies.agentId, agentId), isNull(budgetPolicies.agentId))
+      )
+    );
+    for (const row of rows) {
+      const policy = rowToPolicy(row);
+      const usage = {
+        tokensCostToday: policy.currentUsage.tokensCostToday + (tokensCost ?? 0),
+        tokensCostThisMonth: policy.currentUsage.tokensCostThisMonth + (tokensCost ?? 0),
+        callsToday: policy.currentUsage.callsToday + 1,
+        callsThisMonth: policy.currentUsage.callsThisMonth + 1,
+        lastUpdated: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      const exceeded = isExceeded(policy.limits, usage);
+      const newStatus = exceeded ? "triggered" : policy.status;
+      await db.update(budgetPolicies).set({ currentUsage: usage, status: newStatus }).where(eq(budgetPolicies.id, policy.id));
+    }
+  }
+  async function resetDaily() {
+    const rows = await db.select().from(budgetPolicies);
+    let reset = 0;
+    for (const row of rows) {
+      const policy = rowToPolicy(row);
+      const usage = {
+        ...policy.currentUsage,
+        tokensCostToday: 0,
+        callsToday: 0,
+        lastUpdated: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      const stillExceeded = isExceeded(policy.limits, usage);
+      const newStatus = stillExceeded ? "triggered" : policy.status === "triggered" ? "active" : policy.status;
+      await db.update(budgetPolicies).set({ currentUsage: usage, status: newStatus }).where(eq(budgetPolicies.id, policy.id));
+      reset++;
+    }
+    return { reset };
+  }
+  async function resetMonthly() {
+    const rows = await db.select().from(budgetPolicies);
+    let reset = 0;
+    for (const row of rows) {
+      const policy = rowToPolicy(row);
+      const usage = {
+        ...policy.currentUsage,
+        tokensCostThisMonth: 0,
+        callsThisMonth: 0,
+        lastUpdated: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      const stillExceeded = isExceeded(policy.limits, usage);
+      const newStatus = stillExceeded ? "triggered" : policy.status === "triggered" ? "active" : policy.status;
+      await db.update(budgetPolicies).set({ currentUsage: usage, status: newStatus }).where(eq(budgetPolicies.id, policy.id));
+      reset++;
+    }
+    return { reset };
+  }
+  return { create, get, list, update, remove, checkBudget, recordUsage, resetDaily, resetMonthly };
+}
+function slugRegex() {
+  return /^[a-z0-9]+(?:-[a-z0-9]+)*$/;
+}
+function rowToTenant(row) {
+  return {
+    id: row.id,
+    name: row.name,
+    slug: row.slug,
+    settings: row.settings ?? {},
+    status: row.status,
+    createdAt: row.createdAt,
+    updatedAt: row.updatedAt
+  };
+}
+function createTenantModule(db) {
+  async function create(input) {
+    if (!slugRegex().test(input.slug)) {
+      throw new Error(
+        `Invalid slug "${input.slug}". Use lowercase letters, numbers, and hyphens only.`
+      );
+    }
+    const existing = await db.select().from(tenants).where(eq(tenants.slug, input.slug)).limit(1);
+    if (existing.length > 0) {
+      throw new Error(`Tenant with slug "${input.slug}" already exists.`);
+    }
+    const id = `tnt_${randomUUID().replace(/-/g, "")}`;
+    const now = /* @__PURE__ */ new Date();
+    const settings = input.settings ?? {};
+    await db.insert(tenants).values({
+      id,
+      name: input.name,
+      slug: input.slug,
+      settings,
+      status: "active",
+      createdAt: now,
+      updatedAt: now
+    });
+    return {
+      id,
+      name: input.name,
+      slug: input.slug,
+      settings,
+      status: "active",
+      createdAt: now,
+      updatedAt: now
+    };
+  }
+  async function get(tenantId) {
+    const rows = await db.select().from(tenants).where(eq(tenants.id, tenantId)).limit(1);
+    const row = rows[0];
+    if (!row) return null;
+    return rowToTenant(row);
+  }
+  async function getBySlug(slug) {
+    const rows = await db.select().from(tenants).where(eq(tenants.slug, slug)).limit(1);
+    const row = rows[0];
+    if (!row) return null;
+    return rowToTenant(row);
+  }
+  async function list() {
+    const rows = await db.select().from(tenants);
+    return rows.map(rowToTenant);
+  }
+  async function update(tenantId, updates) {
+    const existing = await get(tenantId);
+    if (!existing) throw new Error(`Tenant "${tenantId}" not found.`);
+    if (updates.slug !== void 0 && updates.slug !== existing.slug) {
+      if (!slugRegex().test(updates.slug)) {
+        throw new Error(
+          `Invalid slug "${updates.slug}". Use lowercase letters, numbers, and hyphens only.`
+        );
+      }
+      const conflict = await db.select().from(tenants).where(eq(tenants.slug, updates.slug)).limit(1);
+      if (conflict.length > 0) {
+        throw new Error(`Tenant with slug "${updates.slug}" already exists.`);
+      }
+    }
+    const now = /* @__PURE__ */ new Date();
+    await db.update(tenants).set({
+      name: updates.name ?? existing.name,
+      slug: updates.slug ?? existing.slug,
+      settings: updates.settings ? { ...existing.settings, ...updates.settings } : existing.settings,
+      updatedAt: now
+    }).where(eq(tenants.id, tenantId));
+    const updated = await get(tenantId);
+    if (!updated) throw new Error(`Tenant "${tenantId}" disappeared after update.`);
+    return updated;
+  }
+  async function suspend(tenantId) {
+    const existing = await get(tenantId);
+    if (!existing) throw new Error(`Tenant "${tenantId}" not found.`);
+    await db.update(tenants).set({ status: "suspended", updatedAt: /* @__PURE__ */ new Date() }).where(eq(tenants.id, tenantId));
+  }
+  async function activate(tenantId) {
+    const existing = await get(tenantId);
+    if (!existing) throw new Error(`Tenant "${tenantId}" not found.`);
+    await db.update(tenants).set({ status: "active", updatedAt: /* @__PURE__ */ new Date() }).where(eq(tenants.id, tenantId));
+  }
+  return { create, get, getBySlug, list, update, suspend, activate };
+}
+var DEFAULT_THRESHOLDS = {
+  untrusted: 20,
+  limited: 40,
+  standard: 60,
+  trusted: 80,
+  elevated: 95
+};
+function scoreToLevel(score, thresholds) {
+  if (score >= thresholds.elevated) return "elevated";
+  if (score >= thresholds.trusted) return "trusted";
+  if (score >= thresholds.standard) return "standard";
+  if (score >= thresholds.limited) return "limited";
+  return "untrusted";
+}
+function clamp(value, min, max) {
+  return Math.max(min, Math.min(max, value));
+}
+function rowToScore(row) {
+  const factors = row.factors;
+  return {
+    agentId: row.agentId,
+    score: row.score,
+    level: row.level,
+    factors,
+    computedAt: row.computedAt.toISOString()
+  };
+}
+function createTrustModule(config, db) {
+  const thresholds = { ...DEFAULT_THRESHOLDS, ...config.thresholds };
+  async function computeScore(agentId) {
+    const now = /* @__PURE__ */ new Date();
+    const agentRows = await db.select({ createdAt: agents.createdAt }).from(agents).where(eq(agents.id, agentId)).limit(1);
+    const agentRow = agentRows[0];
+    const ageInDays = agentRow ? (now.getTime() - agentRow.createdAt.getTime()) / (1e3 * 60 * 60 * 24) : 0;
+    const allLogs = await db.select({
+      result: auditLogs.result,
+      reason: auditLogs.reason,
+      timestamp: auditLogs.timestamp
+    }).from(auditLogs).where(eq(auditLogs.agentId, agentId));
+    const totalCalls = allLogs.length;
+    const allowed = allLogs.filter((r) => r.result === "allowed").length;
+    const denied = allLogs.filter((r) => r.result === "denied").length;
+    const successRate = totalCalls > 0 ? allowed / totalCalls * 100 : 100;
+    const denialRate = totalCalls > 0 ? denied / totalCalls * 100 : 0;
+    const anomalyCount = allLogs.filter((r) => {
+      if (r.result !== "denied") return false;
+      const reason = r.reason ?? "";
+      return reason.includes("INSUFFICIENT_PERMISSIONS") || reason.toLowerCase().includes("privilege") || reason.toLowerCase().includes("escalation");
+    }).length;
+    const violationLogs = allLogs.filter((r) => r.result === "denied").sort((a, b) => b.timestamp.getTime() - a.timestamp.getTime());
+    const lastViolation = violationLogs[0]?.timestamp.toISOString();
+    let score = 50;
+    score += Math.min(25, Math.floor(allowed / 100));
+    score -= denied * 5;
+    score -= anomalyCount * 10;
+    if (ageInDays > 30) score += 10;
+    else if (ageInDays > 7) score += 5;
+    score = clamp(Math.round(score), 0, 100);
+    const level = scoreToLevel(score, thresholds);
+    const factors = {
+      successRate: Math.round(successRate * 10) / 10,
+      denialRate: Math.round(denialRate * 10) / 10,
+      ageInDays: Math.round(ageInDays * 10) / 10,
+      totalCalls,
+      anomalyCount,
+      lastViolation
+    };
+    const existingRows = await db.select({ agentId: trustScores.agentId }).from(trustScores).where(eq(trustScores.agentId, agentId)).limit(1);
+    if (existingRows.length > 0) {
+      await db.update(trustScores).set({ score, level, factors, computedAt: now }).where(eq(trustScores.agentId, agentId));
+    } else {
+      await db.insert(trustScores).values({
+        agentId,
+        score,
+        level,
+        factors,
+        computedAt: now
+      });
+    }
+    return {
+      agentId,
+      score,
+      level,
+      factors,
+      computedAt: now.toISOString()
+    };
+  }
+  async function getScore(agentId) {
+    const rows = await db.select().from(trustScores).where(eq(trustScores.agentId, agentId)).limit(1);
+    const row = rows[0];
+    if (!row) return null;
+    return rowToScore(row);
+  }
+  async function computeAll() {
+    const activeAgents = await db.select({ id: agents.id }).from(agents).where(eq(agents.status, "active"));
+    const results = [];
+    for (const agent of activeAgents) {
+      const score = await computeScore(agent.id);
+      results.push(score);
+    }
+    return results;
+  }
+  async function getScores(filters) {
+    const rows = await db.select().from(trustScores);
+    let scores = rows.map(rowToScore);
+    if (filters?.level) {
+      scores = scores.filter((s) => s.level === filters.level);
+    }
+    if (filters?.minScore !== void 0) {
+      const min = filters.minScore;
+      scores = scores.filter((s) => s.score >= min);
+    }
+    return scores;
+  }
+  return {
+    computeScore,
+    getScore,
+    computeAll,
+    getScores
+  };
+}
+
+// src/kavach.ts
+function classifyViolation2(reason) {
+  const r = reason?.toLowerCase() ?? "";
+  if (r.includes("rate") || r.includes("rate_limited")) return "rate_limited";
+  if (r.includes("ip") || r.includes("allowlist")) return "ip_blocked";
+  if (r.includes("time") || r.includes("window")) return "time_restricted";
+  if (r.includes("approval")) return "approval_required";
+  return "permission_denied";
+}
+async function createKavach(config) {
+  const authAdapter = config.auth?.adapter ?? null;
   const db = await createDatabase(config.database);
   if (!config.database.skipMigrations) {
     await createTables(db, config.database.provider);
@@ -473,7 +2513,58 @@ async function createKavach(config) {
   const auditModule = createAuditModule({ db });
   const delegationModule = createDelegationModule({ db });
   const sessionManager = config.auth?.session ? createSessionManager(config.auth.session, db) : null;
+  const privilegeAnalyzer = createPrivilegeAnalyzer(db);
+  const hooks = config.hooks ?? {};
+  const tenantModule = createTenantModule(db);
+  const policyModule = createPolicyModule(db);
+  const approvalModule = createApprovalModule(config.approval ?? {}, db);
+  const trustModule = createTrustModule({}, db);
+  const didModule = createDidModule(db, config.did);
+  const magicLinkModule = config.magicLink && sessionManager ? createMagicLinkModule(config.magicLink, db, sessionManager) : null;
+  const emailOtpModule = config.emailOtp && sessionManager ? createEmailOtpModule(config.emailOtp, db, sessionManager) : null;
+  const totpModule = config.totp ? createTotpModule(config.totp, db) : null;
+  const passkeyModule = config.passkey ? createPasskeyModule(config.passkey, db) : null;
+  const orgModule = config.org ? createOrgModule(config.org, db) : null;
+  const ssoModule = config.sso ? createSsoModule(config.sso, db) : null;
+  const adminModule = config.admin ? createAdminModule(config.admin, db, sessionManager) : null;
+  const apiKeyManagerModule = config.apiKeys ? createApiKeyManagerModule(config.apiKeys, db) : null;
+  const usernameModule = config.username && sessionManager ? createUsernameAuthModule(config.username, db, sessionManager) : null;
+  const phoneModule = config.phone && sessionManager ? createPhoneAuthModule(config.phone, db, sessionManager) : null;
+  const captchaModule = config.captcha ? createCaptchaModule(config.captcha) : null;
+  const webhookModule = config.webhooks && config.webhooks.length > 0 ? createWebhookModule(config.webhooks) : null;
+  const pluginRegistry = await initializePlugins(config.plugins ?? [], db, config);
+  const endpointCtx = {
+    db,
+    async getUser(request) {
+      if (!authAdapter) return null;
+      return authAdapter.resolveUser(request);
+    },
+    async getSession(token) {
+      if (!sessionManager) return null;
+      return sessionManager.validate(token);
+    }
+  };
+  const pluginRouter = createPluginRouter(pluginRegistry.endpoints);
   async function authorize(agentId, request, context) {
+    if (hooks.beforeAuthorize) {
+      const verdict = await hooks.beforeAuthorize({
+        agentId,
+        action: request.action,
+        resource: request.resource,
+        arguments: request.arguments
+      });
+      if (verdict && !verdict.allow) {
+        const reason = verdict.reason ?? "Blocked by beforeAuthorize hook";
+        void hooks.onViolation?.({
+          type: classifyViolation2(reason),
+          agentId,
+          action: request.action,
+          resource: request.resource,
+          reason
+        });
+        return { allowed: false, reason, auditId: "" };
+      }
+    }
     const agent = await agentModule.get(agentId);
     if (!agent) {
       return {
@@ -491,13 +2582,42 @@ async function createKavach(config) {
     }
     const enrichedRequest = context ? { ...request, context } : request;
     const ownResult = await permissionEngine.authorize(agent, enrichedRequest);
-    if (ownResult.allowed) return ownResult;
-    const delegatedPerms = await delegationModule.getEffectivePermissions(agentId);
-    if (delegatedPerms.length === 0) return ownResult;
-    const agentWithDelegated = { ...agent, permissions: delegatedPerms };
-    const delegatedResult = await permissionEngine.authorize(agentWithDelegated, enrichedRequest);
-    if (delegatedResult.allowed) return delegatedResult;
-    return ownResult;
+    let finalResult;
+    if (ownResult.allowed) {
+      finalResult = ownResult;
+    } else {
+      const delegatedPerms = await delegationModule.getEffectivePermissions(agentId);
+      if (delegatedPerms.length === 0) {
+        finalResult = ownResult;
+      } else {
+        const agentWithDelegated = { ...agent, permissions: delegatedPerms };
+        const delegatedResult = await permissionEngine.authorize(
+          agentWithDelegated,
+          enrichedRequest
+        );
+        finalResult = delegatedResult.allowed ? delegatedResult : ownResult;
+      }
+    }
+    void hooks.afterAuthorize?.({
+      agentId,
+      action: request.action,
+      resource: request.resource,
+      result: {
+        allowed: finalResult.allowed,
+        reason: finalResult.reason,
+        auditId: finalResult.auditId
+      }
+    });
+    if (!finalResult.allowed) {
+      void hooks.onViolation?.({
+        type: classifyViolation2(finalResult.reason),
+        agentId,
+        action: request.action,
+        resource: request.resource,
+        reason: finalResult.reason ?? "Authorization denied"
+      });
+    }
+    return finalResult;
   }
   async function authorizeByToken(token, request, context) {
     const agent = await agentModule.validateToken(token);
@@ -519,6 +2639,31 @@ async function createKavach(config) {
     }
     return delegationModule.delegate(input, parentAgent.permissions);
   }
+  const agentProxy = {
+    async create(...args) {
+      const [input] = args;
+      if (hooks.beforeAgentCreate) {
+        const verdict = await hooks.beforeAgentCreate(input);
+        if (verdict && !verdict.allow) {
+          throw new Error(verdict.reason ?? "Agent creation blocked by beforeAgentCreate hook");
+        }
+      }
+      const agent = await agentModule.create(input);
+      void hooks.afterAgentCreate?.(agent);
+      return agent;
+    },
+    async revoke(agentId) {
+      await agentModule.revoke(agentId);
+      void hooks.onAgentRevoke?.(agentId);
+    },
+    async rotate(...args) {
+      return agentModule.rotate(...args);
+    },
+    get: agentModule.get,
+    list: agentModule.list,
+    update: agentModule.update,
+    validateToken: agentModule.validateToken
+  };
   const mcpRegistry = {
     /**
      * Register a new MCP tool server.
@@ -581,15 +2726,7 @@ async function createKavach(config) {
     }
   };
   return {
-    agent: {
-      create: agentModule.create,
-      get: agentModule.get,
-      list: agentModule.list,
-      update: agentModule.update,
-      revoke: agentModule.revoke,
-      rotate: agentModule.rotate,
-      validateToken: agentModule.validateToken
-    },
+    agent: agentProxy,
     authorize,
     authorizeByToken,
     delegate,
@@ -610,6 +2747,17 @@ async function createKavach(config) {
      * database table — no separate in-memory store needed.
      */
     mcp: mcpRegistry,
+    /**
+     * Least-privilege analyzer.
+     *
+     * Compare agent permissions against actual audit log usage to surface
+     * wildcards, unused grants, and over-permissioned identities.
+     */
+    analyzer: {
+      analyzeAgent: privilegeAnalyzer.analyzeAgent,
+      analyzeAll: privilegeAnalyzer.analyzeAll,
+      getSummary: privilegeAnalyzer.getSummary
+    },
     /**
      * Human auth integration.
      *
@@ -645,7 +2793,249 @@ async function createKavach(config) {
       return authAdapter.resolveUser(request);
     },
     /** Direct database access for advanced usage */
-    db
+    db,
+    /**
+     * Multi-tenant isolation.
+     *
+     * Create and manage tenants (organizations) that share a single
+     * KavachOS instance with full data isolation. Agents can be scoped
+     * to a tenant via `tenantId`.
+     */
+    tenant: tenantModule,
+    /**
+     * Agent execution budget policies.
+     *
+     * Set spending caps (token cost, call counts) per agent, user, or
+     * tenant. Exceeded policies trigger a configurable action: warn,
+     * throttle, block, or revoke.
+     */
+    policies: policyModule,
+    /**
+     * CIBA-style async human approval flows.
+     *
+     * Create pending approval requests, notify humans via webhook or
+     * custom handler, and resolve them with approve / deny.
+     */
+    approval: approvalModule,
+    /**
+     * Graduated autonomy trust scoring.
+     *
+     * Compute and persist 0-100 trust scores derived from audit history,
+     * mapped to five levels: untrusted, limited, standard, trusted, elevated.
+     */
+    trust: trustModule,
+    /**
+     * W3C Decentralized Identifiers (DID) for agents.
+     *
+     * Generate did:key or did:web identities, sign payloads, and verify
+     * signatures. Private keys are never stored — they are returned to
+     * the caller on generation and must be stored securely.
+     *
+     * @example
+     * ```typescript
+     * const { agentDid, privateKeyJwk } = await kavach.did.generateKey(agentId);
+     * const signed = await kavach.did.sign(agentId, { action: 'read' }, privateKeyJwk);
+     * const result = await kavach.did.verify(signed.jws, agentDid.did);
+     * ```
+     */
+    did: didModule,
+    /**
+     * Magic link (passwordless email) authentication.
+     *
+     * Null when `magicLink` config was not provided or `auth.session` is not
+     * configured (sessions are required to issue tokens on verification).
+     *
+     * @example
+     * ```typescript
+     * // In your route handler
+     * const response = await kavach.magicLink?.handleRequest(request);
+     * if (response) return response;
+     * ```
+     */
+    magicLink: magicLinkModule,
+    /**
+     * Email OTP (one-time password) authentication.
+     *
+     * Null when `emailOtp` config was not provided or `auth.session` is not
+     * configured.
+     *
+     * @example
+     * ```typescript
+     * const response = await kavach.emailOtp?.handleRequest(request);
+     * if (response) return response;
+     * ```
+     */
+    emailOtp: emailOtpModule,
+    /**
+     * TOTP two-factor authentication.
+     *
+     * Null when `totp` config was not provided.
+     *
+     * @example
+     * ```typescript
+     * // On setup (show QR code to user)
+     * const { secret, uri, backupCodes } = await kavach.totp.setup(userId);
+     *
+     * // After user scans QR and enters code
+     * const { enabled } = await kavach.totp.enable(userId, totpCode);
+     *
+     * // On login (after password check)
+     * const { valid } = await kavach.totp.verify(userId, totpCode);
+     * ```
+     */
+    totp: totpModule,
+    /**
+     * Passkey / WebAuthn authentication.
+     *
+     * Null when `passkey` config was not provided.
+     *
+     * @example
+     * ```typescript
+     * // Registration — step 1: get options, send to browser
+     * const options = await kavach.passkey.getRegistrationOptions(userId, userName);
+     *
+     * // Registration — step 2: verify browser response
+     * const { credential } = await kavach.passkey.verifyRegistration(userId, response);
+     *
+     * // Authentication — step 1: get options
+     * const options = await kavach.passkey.getAuthenticationOptions(userId);
+     *
+     * // Authentication — step 2: verify browser response
+     * const result = await kavach.passkey.verifyAuthentication(response);
+     * if (result) console.log('Authenticated user:', result.userId);
+     * ```
+     */
+    passkey: passkeyModule,
+    /**
+     * Organizations + RBAC.
+     *
+     * Null when `org` config was not provided.
+     *
+     * @example
+     * ```typescript
+     * const org = await kavach.org?.create({ name: 'Acme', slug: 'acme', ownerId: userId });
+     * const allowed = await kavach.org?.hasPermission(org.id, userId, 'agents:create');
+     * ```
+     */
+    org: orgModule,
+    /**
+     * SSO (SAML 2.0 + OIDC) enterprise authentication.
+     *
+     * Null when `sso` config was not provided.
+     *
+     * @example
+     * ```typescript
+     * const conn = await kavach.sso?.createConnection({ orgId, providerId: 'okta', type: 'saml', domain: 'acme.com' });
+     * const url = await kavach.sso?.getSamlAuthUrl(conn.id);
+     * ```
+     */
+    sso: ssoModule,
+    /**
+     * Admin module.
+     *
+     * Null when `admin` config was not provided.
+     *
+     * @example
+     * ```typescript
+     * await kavach.admin?.banUser(userId, 'Spam');
+     * const { session } = await kavach.admin?.impersonate(adminId, userId);
+     * ```
+     */
+    admin: adminModule,
+    /**
+     * API key management.
+     *
+     * Null when `apiKeys` config was not provided.
+     *
+     * @example
+     * ```typescript
+     * const { key, apiKey } = await kavach.apiKeys?.create({ userId, name: 'CI', permissions: ['agents:read'] });
+     * const result = await kavach.apiKeys?.validate(key);
+     * ```
+     */
+    apiKeys: apiKeyManagerModule,
+    /**
+     * Username + password authentication.
+     *
+     * Null when `username` config was not provided or `auth.session` is not
+     * configured (sessions are required to issue tokens on sign-in/up).
+     *
+     * @example
+     * ```typescript
+     * const response = await kavach.username?.handleRequest(request);
+     * if (response) return response;
+     * ```
+     */
+    username: usernameModule,
+    /**
+     * Phone number (SMS OTP) authentication.
+     *
+     * Null when `phone` config was not provided or `auth.session` is not
+     * configured.
+     *
+     * @example
+     * ```typescript
+     * const response = await kavach.phone?.handleRequest(request);
+     * if (response) return response;
+     * ```
+     */
+    phone: phoneModule,
+    /**
+     * Captcha integration (reCAPTCHA, hCaptcha, Cloudflare Turnstile).
+     *
+     * Null when `captcha` config was not provided.
+     *
+     * @example
+     * ```typescript
+     * const result = await kavach.captcha?.verify(token, ip);
+     * if (!result?.success) return new Response('Captcha failed', { status: 403 });
+     * ```
+     */
+    captcha: captchaModule,
+    /**
+     * Webhook system.
+     *
+     * Null when `webhooks` config was not provided or the array is empty.
+     *
+     * @example
+     * ```typescript
+     * kavach.webhooks?.emit('user.created', { userId: user.id });
+     * ```
+     */
+    webhooks: webhookModule,
+    /**
+     * Plugin system.
+     *
+     * Route incoming HTTP requests through plugin-registered endpoints,
+     * retrieve all endpoints for adapter mounting, or access plugin-provided
+     * context values.
+     *
+     * @example
+     * ```typescript
+     * // In a framework adapter
+     * app.all('/kavach/*', async (req) => {
+     *   const response = await kavach.plugins.handleRequest(req);
+     *   if (response) return response;
+     *   return new Response('Not Found', { status: 404 });
+     * });
+     * ```
+     */
+    plugins: {
+      /** Route a request through plugin endpoints. Returns null if no plugin handles it. */
+      handleRequest(request, basePath = "") {
+        return pluginRouter.handle(request, basePath, endpointCtx);
+      },
+      /** Get all endpoints registered by plugins (for framework adapter mounting). */
+      getEndpoints() {
+        return pluginRouter.getEndpoints();
+      },
+      /** Get the merged plugin context (values returned from plugin init). */
+      getContext() {
+        return { ...pluginRegistry.pluginContext };
+      },
+      /** Access the raw plugin registry (hooks, migrations, etc.). */
+      registry: pluginRegistry
+    }
   };
 }
 
@@ -1053,6 +3443,491 @@ function generateOpenAPISpec(options) {
   };
 }
 
-export { createDatabase, createDatabaseSync, createDelegationModule, createKavach, createSessionManager, createTables, generateOpenAPISpec };
+// src/session/cookie.ts
+var IS_PRODUCTION = typeof process !== "undefined" && process.env.NODE_ENV === "production";
+var DEFAULT_OPTIONS = {
+  httpOnly: true,
+  secure: IS_PRODUCTION,
+  sameSite: "lax",
+  path: "/"
+};
+function serializeCookie(name, value, options) {
+  validateCookieName(name);
+  const opts = { ...DEFAULT_OPTIONS, ...options };
+  const parts = [`${name}=${encodeURIComponent(value)}`];
+  if (opts.httpOnly) parts.push("HttpOnly");
+  if (opts.secure) parts.push("Secure");
+  const sameSite = opts.sameSite ?? "lax";
+  parts.push(`SameSite=${capitalize(sameSite)}`);
+  const path = opts.path ?? "/";
+  parts.push(`Path=${path}`);
+  if (options?.domain) parts.push(`Domain=${options.domain}`);
+  if (options?.maxAge !== void 0) {
+    parts.push(`Max-Age=${options.maxAge}`);
+    const expiryDate = new Date(Date.now() + options.maxAge * 1e3);
+    parts.push(`Expires=${expiryDate.toUTCString()}`);
+  } else if (options?.expires) {
+    parts.push(`Expires=${options.expires.toUTCString()}`);
+  }
+  if (options?.partitioned) parts.push("Partitioned");
+  return parts.join("; ");
+}
+function serializeCookieDeletion(name, options) {
+  return serializeCookie(name, "", {
+    ...options,
+    maxAge: 0,
+    expires: /* @__PURE__ */ new Date(0)
+  });
+}
+function parseCookies(header) {
+  const result = {};
+  if (!header || !header.trim()) return result;
+  for (const pair of header.split(";")) {
+    const eqIndex = pair.indexOf("=");
+    if (eqIndex === -1) continue;
+    const name = pair.slice(0, eqIndex).trim();
+    const raw = pair.slice(eqIndex + 1).trim();
+    if (!name) continue;
+    try {
+      result[name] = decodeURIComponent(raw);
+    } catch {
+    }
+  }
+  return result;
+}
+function getCookie(header, name) {
+  return parseCookies(header)[name];
+}
+function parseCookiesFromRequest(request) {
+  return parseCookies(request.headers.get("cookie") ?? "");
+}
+function capitalize(s) {
+  return s.charAt(0).toUpperCase() + s.slice(1);
+}
+var COOKIE_NAME_SEPARATORS = /[\s()<>@,;:\\"/[\]?={}]/;
+function validateCookieName(name) {
+  if (!name) {
+    throw new Error(`Invalid cookie name: "${name}"`);
+  }
+  for (let i = 0; i < name.length; i++) {
+    const code2 = name.charCodeAt(i);
+    if (code2 <= 31 || code2 === 127) {
+      throw new Error(`Invalid cookie name: "${name}"`);
+    }
+  }
+  if (COOKIE_NAME_SEPARATORS.test(name)) {
+    throw new Error(`Invalid cookie name: "${name}"`);
+  }
+}
+
+// src/session/csrf.ts
+var TOKEN_BYTE_LENGTH = 32;
+function generateCsrfToken() {
+  const bytes = new Uint8Array(TOKEN_BYTE_LENGTH);
+  crypto.getRandomValues(bytes);
+  return uint8ArrayToBase64Url(bytes);
+}
+function validateCsrfToken(requestToken, cookieToken) {
+  if (!requestToken || !cookieToken) {
+    return { valid: false, reason: "Missing CSRF token" };
+  }
+  if (!timingSafeEqual(requestToken, cookieToken)) {
+    return { valid: false, reason: "CSRF token mismatch" };
+  }
+  return { valid: true };
+}
+function validateOrigin(request, trustedOrigins, allowMissingOrigin = false) {
+  const normalised = trustedOrigins.map(normaliseOrigin);
+  const originHeader = request.headers.get("origin");
+  if (originHeader) {
+    if (originHeader === "null") {
+      return { valid: false, reason: "Opaque origin rejected" };
+    }
+    const requestOrigin = normaliseOrigin(originHeader);
+    if (normalised.includes(requestOrigin)) {
+      return { valid: true };
+    }
+    return {
+      valid: false,
+      reason: `Origin "${originHeader}" is not in the trusted list`
+    };
+  }
+  const refererHeader = request.headers.get("referer");
+  if (refererHeader) {
+    try {
+      const refererOrigin = normaliseOrigin(new URL(refererHeader).origin);
+      if (normalised.includes(refererOrigin)) {
+        return { valid: true };
+      }
+      return {
+        valid: false,
+        reason: `Referer origin "${refererOrigin}" is not in the trusted list`
+      };
+    } catch {
+      return { valid: false, reason: "Malformed Referer header" };
+    }
+  }
+  if (allowMissingOrigin) {
+    return { valid: true };
+  }
+  return { valid: false, reason: "No Origin or Referer header present" };
+}
+function normaliseOrigin(origin) {
+  return origin.replace(/\/$/, "").toLowerCase();
+}
+function timingSafeEqual(a, b) {
+  const aBytes = new TextEncoder().encode(a);
+  const bBytes = new TextEncoder().encode(b);
+  if (aBytes.length !== bBytes.length) {
+    let _diff = 0;
+    const max = Math.max(aBytes.length, bBytes.length);
+    for (let i = 0; i < max; i++) {
+      _diff |= (aBytes[i] ?? 0) ^ (bBytes[i] ?? 0);
+    }
+    return false;
+  }
+  let diff = 0;
+  for (let i = 0; i < aBytes.length; i++) {
+    diff |= (aBytes[i] ?? 0) ^ (bBytes[i] ?? 0);
+  }
+  return diff === 0;
+}
+function uint8ArrayToBase64Url(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64url");
+  }
+  let binary = "";
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+var DEFAULT_SESSION_NAME = "kavach_session";
+var DEFAULT_MAX_AGE_SECONDS = 60 * 60 * 24 * 7;
+function createCookieSessionManager(config, db) {
+  const sessionName = config.sessionName ?? DEFAULT_SESSION_NAME;
+  const maxAgeSecs = config.maxAge ?? DEFAULT_MAX_AGE_SECONDS;
+  const autoRefresh = config.autoRefresh ?? true;
+  const raw = createSessionManager(config, db);
+  const baseCookieOpts = {
+    httpOnly: true,
+    sameSite: "lax",
+    path: "/",
+    ...config.cookieOptions,
+    maxAge: maxAgeSecs
+  };
+  function buildSetCookie(token) {
+    return serializeCookie(sessionName, token, baseCookieOpts);
+  }
+  function buildDeleteCookie() {
+    const { maxAge: _omit, ...rest } = baseCookieOpts;
+    return serializeCookieDeletion(sessionName, rest);
+  }
+  async function createSession(userId, metadata) {
+    const { session, token } = await raw.create(userId, metadata);
+    return { session, setCookieHeader: buildSetCookie(token) };
+  }
+  async function validateSession(cookieHeader) {
+    const token = getCookie(cookieHeader, sessionName);
+    if (!token) {
+      return { session: null, refreshCookieHeader: null };
+    }
+    const session = await raw.validate(token);
+    if (!session) {
+      return { session: null, refreshCookieHeader: null };
+    }
+    if (autoRefresh) {
+      const refreshed = await refreshSession(session.id);
+      if (refreshed) {
+        return { session: refreshed.session, refreshCookieHeader: refreshed.setCookieHeader };
+      }
+    }
+    return { session, refreshCookieHeader: null };
+  }
+  async function refreshSession(sessionId) {
+    const rows = await db.select().from(sessions).where(and(eq(sessions.id, sessionId)));
+    const row = rows[0];
+    if (!row) return null;
+    if (row.expiresAt <= /* @__PURE__ */ new Date()) return null;
+    await db.delete(sessions).where(eq(sessions.id, sessionId));
+    const { session: newSession, token: newToken } = await raw.create(
+      row.userId,
+      row.metadata ?? void 0
+    );
+    return { session: newSession, setCookieHeader: buildSetCookie(newToken) };
+  }
+  async function revokeSession(sessionId) {
+    await raw.revoke(sessionId);
+    return { deleteCookieHeader: buildDeleteCookie() };
+  }
+  async function revokeAllSessions(userId) {
+    await raw.revokeAll(userId);
+    return { deleteCookieHeader: buildDeleteCookie() };
+  }
+  async function listSessions(userId) {
+    return raw.list(userId);
+  }
+  function buildLogoutCookie() {
+    return buildDeleteCookie();
+  }
+  return {
+    createSession,
+    validateSession,
+    refreshSession,
+    revokeSession,
+    revokeAllSessions,
+    listSessions,
+    buildLogoutCookie,
+    raw
+  };
+}
+var MultiSessionLimitError = class extends Error {
+  code = "SESSION_LIMIT_REACHED";
+  constructor(userId, max) {
+    super(`User ${userId} has reached the maximum of ${max} concurrent sessions`);
+  }
+};
+function parseUserAgent(ua) {
+  if (!ua) return void 0;
+  let os;
+  if (/iphone|ipad|ipod/i.test(ua)) {
+    os = "iOS";
+  } else if (/android/i.test(ua)) {
+    os = "Android";
+  } else if (/macintosh|mac os x/i.test(ua)) {
+    os = "macOS";
+  } else if (/windows/i.test(ua)) {
+    os = "Windows";
+  } else if (/linux/i.test(ua)) {
+    os = "Linux";
+  } else {
+    os = "Unknown OS";
+  }
+  let browser;
+  if (/edg\//i.test(ua)) {
+    browser = "Edge";
+  } else if (/opr\//i.test(ua) || /opera/i.test(ua)) {
+    browser = "Opera";
+  } else if (/firefox\//i.test(ua)) {
+    browser = "Firefox";
+  } else if (/chrome\//i.test(ua) && !/chromium/i.test(ua)) {
+    browser = "Chrome";
+  } else if (/safari\//i.test(ua) && !/chrome/i.test(ua)) {
+    browser = "Safari";
+  } else if (/curl\//i.test(ua)) {
+    browser = "curl";
+  } else if (/python-requests/i.test(ua)) {
+    browser = "Python";
+  } else {
+    browser = "Unknown";
+  }
+  return `${browser} on ${os}`;
+}
+function rowToSessionInfo(row) {
+  const metadata = row.metadata ?? void 0;
+  const device = metadata && typeof metadata.device === "string" ? metadata.device : void 0;
+  const ip = metadata && typeof metadata.ip === "string" ? metadata.ip : void 0;
+  let cleanMetadata;
+  if (metadata) {
+    const { device: _d, ip: _i, ...rest } = metadata;
+    cleanMetadata = Object.keys(rest).length > 0 ? rest : void 0;
+  }
+  return {
+    id: row.id,
+    createdAt: row.createdAt,
+    expiresAt: row.expiresAt,
+    ...cleanMetadata !== void 0 && { metadata: cleanMetadata },
+    ...device !== void 0 && { device },
+    ...ip !== void 0 && { ip }
+  };
+}
+function createMultiSessionModule(config, db, sessionManager) {
+  const maxSessions = config.maxSessions ?? 10;
+  const overflowStrategy = config.overflowStrategy ?? "evict-oldest";
+  async function listSessions(userId) {
+    const now = /* @__PURE__ */ new Date();
+    const rows = await db.select().from(sessions).where(eq(sessions.userId, userId));
+    return rows.filter((r) => r.expiresAt > now).sort((a, b) => b.createdAt.getTime() - a.createdAt.getTime()).map(rowToSessionInfo);
+  }
+  async function revokeSession(sessionId) {
+    await sessionManager.revoke(sessionId);
+  }
+  async function revokeOtherSessions(userId, currentSessionId) {
+    const now = /* @__PURE__ */ new Date();
+    const activeRows = await db.select({ id: sessions.id, expiresAt: sessions.expiresAt }).from(sessions).where(and(eq(sessions.userId, userId), ne(sessions.id, currentSessionId)));
+    const activeIds = activeRows.filter((r) => r.expiresAt > now).map((r) => r.id);
+    for (const id of activeIds) {
+      await sessionManager.revoke(id);
+    }
+    return activeIds.length;
+  }
+  async function getSessionCount(userId) {
+    const now = /* @__PURE__ */ new Date();
+    const rows = await db.select({ id: sessions.id, expiresAt: sessions.expiresAt }).from(sessions).where(eq(sessions.userId, userId));
+    return rows.filter((r) => r.expiresAt > now).length;
+  }
+  async function enforceSessionLimit(userId) {
+    const now = /* @__PURE__ */ new Date();
+    const rows = await db.select({ id: sessions.id, expiresAt: sessions.expiresAt, createdAt: sessions.createdAt }).from(sessions).where(eq(sessions.userId, userId));
+    const activeSessions = rows.filter((r) => r.expiresAt > now).sort((a, b) => a.createdAt.getTime() - b.createdAt.getTime());
+    if (activeSessions.length < maxSessions) return;
+    if (overflowStrategy === "reject") {
+      throw new MultiSessionLimitError(userId, maxSessions);
+    }
+    const toEvict = activeSessions.slice(0, activeSessions.length - maxSessions + 1);
+    for (const s of toEvict) {
+      await sessionManager.revoke(s.id);
+    }
+  }
+  return { listSessions, revokeSession, revokeOtherSessions, getSessionCount, enforceSessionLimit };
+}
+function buildSessionMetadata(request, extra) {
+  const ua = request.headers.get("user-agent");
+  const ip = request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? request.headers.get("x-real-ip") ?? void 0;
+  const device = parseUserAgent(ua);
+  return {
+    ...device !== void 0 && { device },
+    ...ip !== void 0 && { ip },
+    ...extra
+  };
+}
+
+// src/webhooks/webhook.ts
+function generateId() {
+  const bytes = new Uint8Array(16);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function signPayload2(secret, body) {
+  const encoder = new TextEncoder();
+  const keyData = encoder.encode(secret);
+  const messageData = encoder.encode(body);
+  const key = await crypto.subtle.importKey(
+    "raw",
+    keyData,
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign("HMAC", key, messageData);
+  const hex = Array.from(new Uint8Array(signature), (b) => b.toString(16).padStart(2, "0")).join(
+    ""
+  );
+  return `sha256=${hex}`;
+}
+async function deliverWebhook(url, event, payload, deliveryId, timestamp, signature, timeoutMs) {
+  try {
+    const response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        "x-kavach-event": event,
+        "x-kavach-delivery": deliveryId,
+        "x-kavach-timestamp": timestamp,
+        "x-kavach-signature": signature
+      },
+      body: JSON.stringify(payload),
+      signal: AbortSignal.timeout(timeoutMs)
+    });
+    return { success: response.ok, statusCode: response.status };
+  } catch (err) {
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : "Unknown error"
+    };
+  }
+}
+async function dispatchWithRetry(url, event, payload, config) {
+  const deliveryId = generateId();
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const body = JSON.stringify(payload);
+  const signature = await signPayload2(config.secret, body);
+  const delays = [1e3, 2e3, 4e3];
+  for (let attempt = 0; attempt < config.maxRetries; attempt++) {
+    if (attempt > 0) {
+      await new Promise((resolve) => setTimeout(resolve, delays[attempt - 1] ?? 4e3));
+    }
+    const result = await deliverWebhook(
+      url,
+      event,
+      payload,
+      deliveryId,
+      timestamp,
+      signature,
+      config.timeoutMs
+    );
+    if (result.success) {
+      return;
+    }
+  }
+}
+function createWebhookModule2(config) {
+  const resolvedConfig = {
+    secret: config.secret,
+    maxRetries: config.maxRetries ?? 3,
+    timeoutMs: config.timeoutMs ?? 1e4
+  };
+  const subscriptions = /* @__PURE__ */ new Map();
+  async function subscribe(url, events) {
+    const sub = {
+      id: generateId(),
+      url,
+      events,
+      active: true,
+      createdAt: /* @__PURE__ */ new Date()
+    };
+    subscriptions.set(sub.id, sub);
+    return sub;
+  }
+  async function unsubscribe(subscriptionId) {
+    subscriptions.delete(subscriptionId);
+  }
+  async function list() {
+    return Array.from(subscriptions.values());
+  }
+  function dispatch(event, payload) {
+    const matching = Array.from(subscriptions.values()).filter(
+      (sub) => sub.active && sub.events.includes(event)
+    );
+    for (const sub of matching) {
+      void dispatchWithRetry(sub.url, event, payload, resolvedConfig);
+    }
+  }
+  async function test(subscriptionId) {
+    const sub = subscriptions.get(subscriptionId);
+    if (!sub) {
+      return { success: false, error: "Subscription not found" };
+    }
+    const deliveryId = generateId();
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const pingPayload = { event: "ping", subscriptionId, timestamp };
+    const body = JSON.stringify(pingPayload);
+    const signature = await signPayload2(resolvedConfig.secret, body);
+    return deliverWebhook(
+      sub.url,
+      "auth.login",
+      // placeholder event type for test delivery
+      pingPayload,
+      deliveryId,
+      timestamp,
+      signature,
+      resolvedConfig.timeoutMs
+    );
+  }
+  return { subscribe, unsubscribe, list, dispatch, test };
+}
+async function verifyWebhookSignature(secret, rawBody, signature) {
+  const expected = await signPayload2(secret, rawBody);
+  if (expected.length !== signature.length) return false;
+  const a = new TextEncoder().encode(expected);
+  const b = new TextEncoder().encode(signature);
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) {
+    diff |= (a[i] ?? 0) ^ (b[i] ?? 0);
+  }
+  return diff === 0;
+}
+
+export { MultiSessionLimitError, buildDidDocument, buildSessionMetadata, classifyViolation, createApprovalModule, createCookieSessionManager, createDatabase, createDatabaseSync, createDelegationModule, createDidModule, createEmailTemplates, createI18n, createKavach, createMultiSessionModule, createPluginRouter, createPolicyModule, createPresentation, createPrivilegeAnalyzer, createTables, createTenantModule, createTrustModule, createWebhookModule2 as createWebhookModule, de, en, es, fr, generateCsrfToken, generateDidKey, generateDidWeb, generateOpenAPISpec, getCookie, getDidWebUrl, initializePlugins, ja, parseCookies, parseCookiesFromRequest, resolveDidKey, resolveDidWeb, serializeCookie, serializeCookieDeletion, signPayload, validateCsrfToken, validateOrigin, verifyPayload, verifyPresentation, verifyWebhookSignature, zh };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map