kavachos 0.0.4 → 0.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/dist/a2a/index.d.ts +2340 -0
  2. package/dist/a2a/index.js +821 -0
  3. package/dist/a2a/index.js.map +1 -0
  4. package/dist/agent/index.d.ts +3 -4
  5. package/dist/agent/index.js +4 -3
  6. package/dist/audit/index.d.ts +2 -3
  7. package/dist/audit/index.js +3 -3
  8. package/dist/auth/index.d.ts +490 -93
  9. package/dist/auth/index.js +4 -3
  10. package/dist/{chunk-KL6XW4S4.js → chunk-FKVAXCNJ.js} +2375 -633
  11. package/dist/chunk-FKVAXCNJ.js.map +1 -0
  12. package/dist/{chunk-5DT4DN4Y.js → chunk-IKTOSJ4O.js} +13 -13
  13. package/dist/chunk-IKTOSJ4O.js.map +1 -0
  14. package/dist/{chunk-V66UUIA7.js → chunk-KDL6A76K.js} +93 -4
  15. package/dist/chunk-KDL6A76K.js.map +1 -0
  16. package/dist/chunk-NSBPE2FW.js +15 -0
  17. package/dist/{chunk-PZ5AY32C.js.map → chunk-NSBPE2FW.js.map} +1 -1
  18. package/dist/chunk-NSTER7KE.js +538 -0
  19. package/dist/chunk-NSTER7KE.js.map +1 -0
  20. package/dist/chunk-QCRHJMDX.js +186 -0
  21. package/dist/chunk-QCRHJMDX.js.map +1 -0
  22. package/dist/{chunk-OVGNZ5OX.js → chunk-VHKZARMM.js} +6 -6
  23. package/dist/chunk-VHKZARMM.js.map +1 -0
  24. package/dist/{chunk-SJGSPIAD.js → chunk-Y3OWAJHK.js} +3 -3
  25. package/dist/{chunk-SJGSPIAD.js.map → chunk-Y3OWAJHK.js.map} +1 -1
  26. package/dist/index.d.ts +138 -6
  27. package/dist/index.js +580 -35
  28. package/dist/index.js.map +1 -1
  29. package/dist/mcp/index.d.ts +2 -2
  30. package/dist/mcp/index.js +12 -16
  31. package/dist/mcp/index.js.map +1 -1
  32. package/dist/permission/index.d.ts +3 -4
  33. package/dist/permission/index.js +4 -3
  34. package/dist/{types-Xk83hv4O.d.ts → types-W8X0PXE7.d.ts} +1764 -99
  35. package/dist/vc/index.d.ts +800 -0
  36. package/dist/vc/index.js +5 -0
  37. package/dist/vc/index.js.map +1 -0
  38. package/package.json +17 -1
  39. package/dist/chunk-5DT4DN4Y.js.map +0 -1
  40. package/dist/chunk-KL6XW4S4.js.map +0 -1
  41. package/dist/chunk-OVGNZ5OX.js.map +0 -1
  42. package/dist/chunk-PZ5AY32C.js +0 -9
  43. package/dist/chunk-V66UUIA7.js.map +0 -1
  44. package/dist/{types-mwupB57A.d.ts → types-BuHrZcjE.d.ts} +2 -2
@@ -1,6 +1,6 @@
1
- import { BetterSQLite3Database } from 'drizzle-orm/better-sqlite3';
2
1
  import * as drizzle_orm_sqlite_core from 'drizzle-orm/sqlite-core';
3
- import { f as McpConfig } from './types-mwupB57A.js';
2
+ import { BaseSQLiteDatabase } from 'drizzle-orm/sqlite-core';
3
+ import { R as Result, f as McpConfig } from './types-BuHrZcjE.js';
4
4
 
5
5
  declare const users: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
6
6
  name: "kavach_users";
@@ -209,6 +209,23 @@ declare const users: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
209
209
  identity: undefined;
210
210
  generated: undefined;
211
211
  }, {}, {}>;
212
+ emailVerified: drizzle_orm_sqlite_core.SQLiteColumn<{
213
+ name: "email_verified";
214
+ tableName: "kavach_users";
215
+ dataType: "number";
216
+ columnType: "SQLiteInteger";
217
+ data: number;
218
+ driverParam: number;
219
+ notNull: true;
220
+ hasDefault: true;
221
+ isPrimaryKey: false;
222
+ isAutoincrement: false;
223
+ hasRuntimeDefault: false;
224
+ enumValues: undefined;
225
+ baseColumn: never;
226
+ identity: undefined;
227
+ generated: undefined;
228
+ }, {}, {}>;
212
229
  stripeCustomerId: drizzle_orm_sqlite_core.SQLiteColumn<{
213
230
  name: "stripe_customer_id";
214
231
  tableName: "kavach_users";
@@ -5923,13 +5940,13 @@ declare const oidcRefreshTokens: drizzle_orm_sqlite_core.SQLiteTableWithColumns<
5923
5940
  };
5924
5941
  dialect: "sqlite";
5925
5942
  }>;
5926
- declare const jwtRefreshTokens: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
5927
- name: "kavach_jwt_refresh_tokens";
5943
+ declare const costEvents: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
5944
+ name: "kavach_cost_events";
5928
5945
  schema: undefined;
5929
5946
  columns: {
5930
5947
  id: drizzle_orm_sqlite_core.SQLiteColumn<{
5931
5948
  name: "id";
5932
- tableName: "kavach_jwt_refresh_tokens";
5949
+ tableName: "kavach_cost_events";
5933
5950
  dataType: "string";
5934
5951
  columnType: "SQLiteText";
5935
5952
  data: string;
@@ -5946,9 +5963,9 @@ declare const jwtRefreshTokens: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
5946
5963
  }, {}, {
5947
5964
  length: number | undefined;
5948
5965
  }>;
5949
- tokenHash: drizzle_orm_sqlite_core.SQLiteColumn<{
5950
- name: "token_hash";
5951
- tableName: "kavach_jwt_refresh_tokens";
5966
+ agentId: drizzle_orm_sqlite_core.SQLiteColumn<{
5967
+ name: "agent_id";
5968
+ tableName: "kavach_cost_events";
5952
5969
  dataType: "string";
5953
5970
  columnType: "SQLiteText";
5954
5971
  data: string;
@@ -5965,9 +5982,9 @@ declare const jwtRefreshTokens: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
5965
5982
  }, {}, {
5966
5983
  length: number | undefined;
5967
5984
  }>;
5968
- userId: drizzle_orm_sqlite_core.SQLiteColumn<{
5969
- name: "user_id";
5970
- tableName: "kavach_jwt_refresh_tokens";
5985
+ tool: drizzle_orm_sqlite_core.SQLiteColumn<{
5986
+ name: "tool";
5987
+ tableName: "kavach_cost_events";
5971
5988
  dataType: "string";
5972
5989
  columnType: "SQLiteText";
5973
5990
  data: string;
@@ -5984,15 +6001,49 @@ declare const jwtRefreshTokens: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
5984
6001
  }, {}, {
5985
6002
  length: number | undefined;
5986
6003
  }>;
5987
- used: drizzle_orm_sqlite_core.SQLiteColumn<{
5988
- name: "used";
5989
- tableName: "kavach_jwt_refresh_tokens";
5990
- dataType: "boolean";
5991
- columnType: "SQLiteBoolean";
5992
- data: boolean;
6004
+ inputTokens: drizzle_orm_sqlite_core.SQLiteColumn<{
6005
+ name: "input_tokens";
6006
+ tableName: "kavach_cost_events";
6007
+ dataType: "number";
6008
+ columnType: "SQLiteInteger";
6009
+ data: number;
6010
+ driverParam: number;
6011
+ notNull: false;
6012
+ hasDefault: false;
6013
+ isPrimaryKey: false;
6014
+ isAutoincrement: false;
6015
+ hasRuntimeDefault: false;
6016
+ enumValues: undefined;
6017
+ baseColumn: never;
6018
+ identity: undefined;
6019
+ generated: undefined;
6020
+ }, {}, {}>;
6021
+ outputTokens: drizzle_orm_sqlite_core.SQLiteColumn<{
6022
+ name: "output_tokens";
6023
+ tableName: "kavach_cost_events";
6024
+ dataType: "number";
6025
+ columnType: "SQLiteInteger";
6026
+ data: number;
6027
+ driverParam: number;
6028
+ notNull: false;
6029
+ hasDefault: false;
6030
+ isPrimaryKey: false;
6031
+ isAutoincrement: false;
6032
+ hasRuntimeDefault: false;
6033
+ enumValues: undefined;
6034
+ baseColumn: never;
6035
+ identity: undefined;
6036
+ generated: undefined;
6037
+ }, {}, {}>;
6038
+ costMicros: drizzle_orm_sqlite_core.SQLiteColumn<{
6039
+ name: "cost_micros";
6040
+ tableName: "kavach_cost_events";
6041
+ dataType: "number";
6042
+ columnType: "SQLiteInteger";
6043
+ data: number;
5993
6044
  driverParam: number;
5994
6045
  notNull: true;
5995
- hasDefault: true;
6046
+ hasDefault: false;
5996
6047
  isPrimaryKey: false;
5997
6048
  isAutoincrement: false;
5998
6049
  hasRuntimeDefault: false;
@@ -6001,9 +6052,66 @@ declare const jwtRefreshTokens: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
6001
6052
  identity: undefined;
6002
6053
  generated: undefined;
6003
6054
  }, {}, {}>;
6004
- expiresAt: drizzle_orm_sqlite_core.SQLiteColumn<{
6005
- name: "expires_at";
6006
- tableName: "kavach_jwt_refresh_tokens";
6055
+ currency: drizzle_orm_sqlite_core.SQLiteColumn<{
6056
+ name: "currency";
6057
+ tableName: "kavach_cost_events";
6058
+ dataType: "string";
6059
+ columnType: "SQLiteText";
6060
+ data: string;
6061
+ driverParam: string;
6062
+ notNull: true;
6063
+ hasDefault: true;
6064
+ isPrimaryKey: false;
6065
+ isAutoincrement: false;
6066
+ hasRuntimeDefault: false;
6067
+ enumValues: [string, ...string[]];
6068
+ baseColumn: never;
6069
+ identity: undefined;
6070
+ generated: undefined;
6071
+ }, {}, {
6072
+ length: number | undefined;
6073
+ }>;
6074
+ metadata: drizzle_orm_sqlite_core.SQLiteColumn<{
6075
+ name: "metadata";
6076
+ tableName: "kavach_cost_events";
6077
+ dataType: "json";
6078
+ columnType: "SQLiteTextJson";
6079
+ data: Record<string, unknown>;
6080
+ driverParam: string;
6081
+ notNull: false;
6082
+ hasDefault: false;
6083
+ isPrimaryKey: false;
6084
+ isAutoincrement: false;
6085
+ hasRuntimeDefault: false;
6086
+ enumValues: undefined;
6087
+ baseColumn: never;
6088
+ identity: undefined;
6089
+ generated: undefined;
6090
+ }, {}, {
6091
+ $type: Record<string, unknown>;
6092
+ }>;
6093
+ delegationChainId: drizzle_orm_sqlite_core.SQLiteColumn<{
6094
+ name: "delegation_chain_id";
6095
+ tableName: "kavach_cost_events";
6096
+ dataType: "string";
6097
+ columnType: "SQLiteText";
6098
+ data: string;
6099
+ driverParam: string;
6100
+ notNull: false;
6101
+ hasDefault: false;
6102
+ isPrimaryKey: false;
6103
+ isAutoincrement: false;
6104
+ hasRuntimeDefault: false;
6105
+ enumValues: [string, ...string[]];
6106
+ baseColumn: never;
6107
+ identity: undefined;
6108
+ generated: undefined;
6109
+ }, {}, {
6110
+ length: number | undefined;
6111
+ }>;
6112
+ recordedAt: drizzle_orm_sqlite_core.SQLiteColumn<{
6113
+ name: "recorded_at";
6114
+ tableName: "kavach_cost_events";
6007
6115
  dataType: "date";
6008
6116
  columnType: "SQLiteTimestamp";
6009
6117
  data: Date;
@@ -6018,9 +6126,92 @@ declare const jwtRefreshTokens: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
6018
6126
  identity: undefined;
6019
6127
  generated: undefined;
6020
6128
  }, {}, {}>;
6021
- createdAt: drizzle_orm_sqlite_core.SQLiteColumn<{
6022
- name: "created_at";
6023
- tableName: "kavach_jwt_refresh_tokens";
6129
+ };
6130
+ dialect: "sqlite";
6131
+ }>;
6132
+ declare const ephemeralSessions: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
6133
+ name: "kavach_ephemeral_sessions";
6134
+ schema: undefined;
6135
+ columns: {
6136
+ id: drizzle_orm_sqlite_core.SQLiteColumn<{
6137
+ name: "id";
6138
+ tableName: "kavach_ephemeral_sessions";
6139
+ dataType: "string";
6140
+ columnType: "SQLiteText";
6141
+ data: string;
6142
+ driverParam: string;
6143
+ notNull: true;
6144
+ hasDefault: false;
6145
+ isPrimaryKey: true;
6146
+ isAutoincrement: false;
6147
+ hasRuntimeDefault: false;
6148
+ enumValues: [string, ...string[]];
6149
+ baseColumn: never;
6150
+ identity: undefined;
6151
+ generated: undefined;
6152
+ }, {}, {
6153
+ length: number | undefined;
6154
+ }>;
6155
+ agentId: drizzle_orm_sqlite_core.SQLiteColumn<{
6156
+ name: "agent_id";
6157
+ tableName: "kavach_ephemeral_sessions";
6158
+ dataType: "string";
6159
+ columnType: "SQLiteText";
6160
+ data: string;
6161
+ driverParam: string;
6162
+ notNull: true;
6163
+ hasDefault: false;
6164
+ isPrimaryKey: false;
6165
+ isAutoincrement: false;
6166
+ hasRuntimeDefault: false;
6167
+ enumValues: [string, ...string[]];
6168
+ baseColumn: never;
6169
+ identity: undefined;
6170
+ generated: undefined;
6171
+ }, {}, {
6172
+ length: number | undefined;
6173
+ }>;
6174
+ ownerId: drizzle_orm_sqlite_core.SQLiteColumn<{
6175
+ name: "owner_id";
6176
+ tableName: "kavach_ephemeral_sessions";
6177
+ dataType: "string";
6178
+ columnType: "SQLiteText";
6179
+ data: string;
6180
+ driverParam: string;
6181
+ notNull: true;
6182
+ hasDefault: false;
6183
+ isPrimaryKey: false;
6184
+ isAutoincrement: false;
6185
+ hasRuntimeDefault: false;
6186
+ enumValues: [string, ...string[]];
6187
+ baseColumn: never;
6188
+ identity: undefined;
6189
+ generated: undefined;
6190
+ }, {}, {
6191
+ length: number | undefined;
6192
+ }>;
6193
+ tokenHash: drizzle_orm_sqlite_core.SQLiteColumn<{
6194
+ name: "token_hash";
6195
+ tableName: "kavach_ephemeral_sessions";
6196
+ dataType: "string";
6197
+ columnType: "SQLiteText";
6198
+ data: string;
6199
+ driverParam: string;
6200
+ notNull: true;
6201
+ hasDefault: false;
6202
+ isPrimaryKey: false;
6203
+ isAutoincrement: false;
6204
+ hasRuntimeDefault: false;
6205
+ enumValues: [string, ...string[]];
6206
+ baseColumn: never;
6207
+ identity: undefined;
6208
+ generated: undefined;
6209
+ }, {}, {
6210
+ length: number | undefined;
6211
+ }>;
6212
+ expiresAt: drizzle_orm_sqlite_core.SQLiteColumn<{
6213
+ name: "expires_at";
6214
+ tableName: "kavach_ephemeral_sessions";
6024
6215
  dataType: "date";
6025
6216
  columnType: "SQLiteTimestamp";
6026
6217
  data: Date;
@@ -6035,78 +6226,1037 @@ declare const jwtRefreshTokens: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
6035
6226
  identity: undefined;
6036
6227
  generated: undefined;
6037
6228
  }, {}, {}>;
6038
- };
6039
- dialect: "sqlite";
6040
- }>;
6041
-
6042
- declare const schema_agentCards: typeof agentCards;
6043
- declare const schema_agentDids: typeof agentDids;
6044
- declare const schema_agents: typeof agents;
6045
- declare const schema_apiKeys: typeof apiKeys;
6046
- declare const schema_approvalRequests: typeof approvalRequests;
6047
- declare const schema_auditLogs: typeof auditLogs;
6048
- declare const schema_budgetPolicies: typeof budgetPolicies;
6049
- declare const schema_delegationChains: typeof delegationChains;
6050
- declare const schema_emailOtps: typeof emailOtps;
6051
- declare const schema_jwtRefreshTokens: typeof jwtRefreshTokens;
6052
- declare const schema_loginHistory: typeof loginHistory;
6053
- declare const schema_magicLinks: typeof magicLinks;
6054
- declare const schema_mcpServers: typeof mcpServers;
6055
- declare const schema_oauthAccessTokens: typeof oauthAccessTokens;
6056
- declare const schema_oauthAuthorizationCodes: typeof oauthAuthorizationCodes;
6057
- declare const schema_oauthClients: typeof oauthClients;
6058
- declare const schema_oidcAuthCodes: typeof oidcAuthCodes;
6059
- declare const schema_oidcClients: typeof oidcClients;
6060
- declare const schema_oidcRefreshTokens: typeof oidcRefreshTokens;
6061
- declare const schema_oneTimeTokens: typeof oneTimeTokens;
6062
- declare const schema_orgInvitations: typeof orgInvitations;
6063
- declare const schema_orgMembers: typeof orgMembers;
6064
- declare const schema_orgRoles: typeof orgRoles;
6065
- declare const schema_organizations: typeof organizations;
6066
- declare const schema_passkeyChallenges: typeof passkeyChallenges;
6067
- declare const schema_passkeyCredentials: typeof passkeyCredentials;
6068
- declare const schema_permissions: typeof permissions;
6069
- declare const schema_phoneVerifications: typeof phoneVerifications;
6070
- declare const schema_rateLimits: typeof rateLimits;
6071
- declare const schema_sessions: typeof sessions;
6072
- declare const schema_ssoConnections: typeof ssoConnections;
6073
- declare const schema_tenants: typeof tenants;
6074
- declare const schema_totpRecords: typeof totpRecords;
6075
- declare const schema_trustScores: typeof trustScores;
6076
- declare const schema_trustedDevices: typeof trustedDevices;
6077
- declare const schema_usernameAccounts: typeof usernameAccounts;
6078
- declare const schema_users: typeof users;
6079
- declare namespace schema {
6080
- export { schema_agentCards as agentCards, schema_agentDids as agentDids, schema_agents as agents, schema_apiKeys as apiKeys, schema_approvalRequests as approvalRequests, schema_auditLogs as auditLogs, schema_budgetPolicies as budgetPolicies, schema_delegationChains as delegationChains, schema_emailOtps as emailOtps, schema_jwtRefreshTokens as jwtRefreshTokens, schema_loginHistory as loginHistory, schema_magicLinks as magicLinks, schema_mcpServers as mcpServers, schema_oauthAccessTokens as oauthAccessTokens, schema_oauthAuthorizationCodes as oauthAuthorizationCodes, schema_oauthClients as oauthClients, schema_oidcAuthCodes as oidcAuthCodes, schema_oidcClients as oidcClients, schema_oidcRefreshTokens as oidcRefreshTokens, schema_oneTimeTokens as oneTimeTokens, schema_orgInvitations as orgInvitations, schema_orgMembers as orgMembers, schema_orgRoles as orgRoles, schema_organizations as organizations, schema_passkeyChallenges as passkeyChallenges, schema_passkeyCredentials as passkeyCredentials, schema_permissions as permissions, schema_phoneVerifications as phoneVerifications, schema_rateLimits as rateLimits, schema_sessions as sessions, schema_ssoConnections as ssoConnections, schema_tenants as tenants, schema_totpRecords as totpRecords, schema_trustScores as trustScores, schema_trustedDevices as trustedDevices, schema_usernameAccounts as usernameAccounts, schema_users as users };
6081
- }
6082
-
6083
- /**
6084
- * The fully-typed SQLite Drizzle database.
6085
- * Postgres and MySQL connections are represented as `AnyDatabase` at the
6086
- * adapter boundary because drizzle-orm exposes separate schema builders
6087
- * (pg-core / mysql-core) that are incompatible with the SQLite schema
6088
- * defined in schema.ts. Full multi-dialect Drizzle schema support is
6089
- * planned for v0.2.0.
6090
- */
6091
- type Database = BetterSQLite3Database<typeof schema>;
6092
- interface DatabaseConfig$1 {
6093
- provider: "sqlite" | "postgres" | "mysql";
6094
- url: string;
6095
- /** Skip automatic table creation on init (default: false) */
6096
- skipMigrations?: boolean;
6229
+ maxActions: drizzle_orm_sqlite_core.SQLiteColumn<{
6230
+ name: "max_actions";
6231
+ tableName: "kavach_ephemeral_sessions";
6232
+ dataType: "number";
6233
+ columnType: "SQLiteInteger";
6234
+ data: number;
6235
+ driverParam: number;
6236
+ notNull: false;
6237
+ hasDefault: false;
6238
+ isPrimaryKey: false;
6239
+ isAutoincrement: false;
6240
+ hasRuntimeDefault: false;
6241
+ enumValues: undefined;
6242
+ baseColumn: never;
6243
+ identity: undefined;
6244
+ generated: undefined;
6245
+ }, {}, {}>;
6246
+ actionsUsed: drizzle_orm_sqlite_core.SQLiteColumn<{
6247
+ name: "actions_used";
6248
+ tableName: "kavach_ephemeral_sessions";
6249
+ dataType: "number";
6250
+ columnType: "SQLiteInteger";
6251
+ data: number;
6252
+ driverParam: number;
6253
+ notNull: true;
6254
+ hasDefault: true;
6255
+ isPrimaryKey: false;
6256
+ isAutoincrement: false;
6257
+ hasRuntimeDefault: false;
6258
+ enumValues: undefined;
6259
+ baseColumn: never;
6260
+ identity: undefined;
6261
+ generated: undefined;
6262
+ }, {}, {}>;
6263
+ status: drizzle_orm_sqlite_core.SQLiteColumn<{
6264
+ name: "status";
6265
+ tableName: "kavach_ephemeral_sessions";
6266
+ dataType: "string";
6267
+ columnType: "SQLiteText";
6268
+ data: "active" | "revoked" | "expired" | "exhausted";
6269
+ driverParam: string;
6270
+ notNull: true;
6271
+ hasDefault: true;
6272
+ isPrimaryKey: false;
6273
+ isAutoincrement: false;
6274
+ hasRuntimeDefault: false;
6275
+ enumValues: ["active", "expired", "exhausted", "revoked"];
6276
+ baseColumn: never;
6277
+ identity: undefined;
6278
+ generated: undefined;
6279
+ }, {}, {
6280
+ length: number | undefined;
6281
+ }>;
6282
+ auditGroupId: drizzle_orm_sqlite_core.SQLiteColumn<{
6283
+ name: "audit_group_id";
6284
+ tableName: "kavach_ephemeral_sessions";
6285
+ dataType: "string";
6286
+ columnType: "SQLiteText";
6287
+ data: string;
6288
+ driverParam: string;
6289
+ notNull: true;
6290
+ hasDefault: false;
6291
+ isPrimaryKey: false;
6292
+ isAutoincrement: false;
6293
+ hasRuntimeDefault: false;
6294
+ enumValues: [string, ...string[]];
6295
+ baseColumn: never;
6296
+ identity: undefined;
6297
+ generated: undefined;
6298
+ }, {}, {
6299
+ length: number | undefined;
6300
+ }>;
6301
+ createdAt: drizzle_orm_sqlite_core.SQLiteColumn<{
6302
+ name: "created_at";
6303
+ tableName: "kavach_ephemeral_sessions";
6304
+ dataType: "date";
6305
+ columnType: "SQLiteTimestamp";
6306
+ data: Date;
6307
+ driverParam: number;
6308
+ notNull: true;
6309
+ hasDefault: false;
6310
+ isPrimaryKey: false;
6311
+ isAutoincrement: false;
6312
+ hasRuntimeDefault: false;
6313
+ enumValues: undefined;
6314
+ baseColumn: never;
6315
+ identity: undefined;
6316
+ generated: undefined;
6317
+ }, {}, {}>;
6318
+ updatedAt: drizzle_orm_sqlite_core.SQLiteColumn<{
6319
+ name: "updated_at";
6320
+ tableName: "kavach_ephemeral_sessions";
6321
+ dataType: "date";
6322
+ columnType: "SQLiteTimestamp";
6323
+ data: Date;
6324
+ driverParam: number;
6325
+ notNull: true;
6326
+ hasDefault: false;
6327
+ isPrimaryKey: false;
6328
+ isAutoincrement: false;
6329
+ hasRuntimeDefault: false;
6330
+ enumValues: undefined;
6331
+ baseColumn: never;
6332
+ identity: undefined;
6333
+ generated: undefined;
6334
+ }, {}, {}>;
6335
+ };
6336
+ dialect: "sqlite";
6337
+ }>;
6338
+ declare const streamEvents: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
6339
+ name: "kavach_stream_events";
6340
+ schema: undefined;
6341
+ columns: {
6342
+ id: drizzle_orm_sqlite_core.SQLiteColumn<{
6343
+ name: "id";
6344
+ tableName: "kavach_stream_events";
6345
+ dataType: "string";
6346
+ columnType: "SQLiteText";
6347
+ data: string;
6348
+ driverParam: string;
6349
+ notNull: true;
6350
+ hasDefault: false;
6351
+ isPrimaryKey: true;
6352
+ isAutoincrement: false;
6353
+ hasRuntimeDefault: false;
6354
+ enumValues: [string, ...string[]];
6355
+ baseColumn: never;
6356
+ identity: undefined;
6357
+ generated: undefined;
6358
+ }, {}, {
6359
+ length: number | undefined;
6360
+ }>;
6361
+ type: drizzle_orm_sqlite_core.SQLiteColumn<{
6362
+ name: "type";
6363
+ tableName: "kavach_stream_events";
6364
+ dataType: "string";
6365
+ columnType: "SQLiteText";
6366
+ data: string;
6367
+ driverParam: string;
6368
+ notNull: true;
6369
+ hasDefault: false;
6370
+ isPrimaryKey: false;
6371
+ isAutoincrement: false;
6372
+ hasRuntimeDefault: false;
6373
+ enumValues: [string, ...string[]];
6374
+ baseColumn: never;
6375
+ identity: undefined;
6376
+ generated: undefined;
6377
+ }, {}, {
6378
+ length: number | undefined;
6379
+ }>;
6380
+ timestamp: drizzle_orm_sqlite_core.SQLiteColumn<{
6381
+ name: "timestamp";
6382
+ tableName: "kavach_stream_events";
6383
+ dataType: "date";
6384
+ columnType: "SQLiteTimestamp";
6385
+ data: Date;
6386
+ driverParam: number;
6387
+ notNull: true;
6388
+ hasDefault: false;
6389
+ isPrimaryKey: false;
6390
+ isAutoincrement: false;
6391
+ hasRuntimeDefault: false;
6392
+ enumValues: undefined;
6393
+ baseColumn: never;
6394
+ identity: undefined;
6395
+ generated: undefined;
6396
+ }, {}, {}>;
6397
+ data: drizzle_orm_sqlite_core.SQLiteColumn<{
6398
+ name: "data";
6399
+ tableName: "kavach_stream_events";
6400
+ dataType: "json";
6401
+ columnType: "SQLiteTextJson";
6402
+ data: Record<string, unknown>;
6403
+ driverParam: string;
6404
+ notNull: true;
6405
+ hasDefault: false;
6406
+ isPrimaryKey: false;
6407
+ isAutoincrement: false;
6408
+ hasRuntimeDefault: false;
6409
+ enumValues: undefined;
6410
+ baseColumn: never;
6411
+ identity: undefined;
6412
+ generated: undefined;
6413
+ }, {}, {
6414
+ $type: Record<string, unknown>;
6415
+ }>;
6416
+ agentId: drizzle_orm_sqlite_core.SQLiteColumn<{
6417
+ name: "agent_id";
6418
+ tableName: "kavach_stream_events";
6419
+ dataType: "string";
6420
+ columnType: "SQLiteText";
6421
+ data: string;
6422
+ driverParam: string;
6423
+ notNull: false;
6424
+ hasDefault: false;
6425
+ isPrimaryKey: false;
6426
+ isAutoincrement: false;
6427
+ hasRuntimeDefault: false;
6428
+ enumValues: [string, ...string[]];
6429
+ baseColumn: never;
6430
+ identity: undefined;
6431
+ generated: undefined;
6432
+ }, {}, {
6433
+ length: number | undefined;
6434
+ }>;
6435
+ userId: drizzle_orm_sqlite_core.SQLiteColumn<{
6436
+ name: "user_id";
6437
+ tableName: "kavach_stream_events";
6438
+ dataType: "string";
6439
+ columnType: "SQLiteText";
6440
+ data: string;
6441
+ driverParam: string;
6442
+ notNull: false;
6443
+ hasDefault: false;
6444
+ isPrimaryKey: false;
6445
+ isAutoincrement: false;
6446
+ hasRuntimeDefault: false;
6447
+ enumValues: [string, ...string[]];
6448
+ baseColumn: never;
6449
+ identity: undefined;
6450
+ generated: undefined;
6451
+ }, {}, {
6452
+ length: number | undefined;
6453
+ }>;
6454
+ };
6455
+ dialect: "sqlite";
6456
+ }>;
6457
+ declare const jwtRefreshTokens: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
6458
+ name: "kavach_jwt_refresh_tokens";
6459
+ schema: undefined;
6460
+ columns: {
6461
+ id: drizzle_orm_sqlite_core.SQLiteColumn<{
6462
+ name: "id";
6463
+ tableName: "kavach_jwt_refresh_tokens";
6464
+ dataType: "string";
6465
+ columnType: "SQLiteText";
6466
+ data: string;
6467
+ driverParam: string;
6468
+ notNull: true;
6469
+ hasDefault: false;
6470
+ isPrimaryKey: true;
6471
+ isAutoincrement: false;
6472
+ hasRuntimeDefault: false;
6473
+ enumValues: [string, ...string[]];
6474
+ baseColumn: never;
6475
+ identity: undefined;
6476
+ generated: undefined;
6477
+ }, {}, {
6478
+ length: number | undefined;
6479
+ }>;
6480
+ tokenHash: drizzle_orm_sqlite_core.SQLiteColumn<{
6481
+ name: "token_hash";
6482
+ tableName: "kavach_jwt_refresh_tokens";
6483
+ dataType: "string";
6484
+ columnType: "SQLiteText";
6485
+ data: string;
6486
+ driverParam: string;
6487
+ notNull: true;
6488
+ hasDefault: false;
6489
+ isPrimaryKey: false;
6490
+ isAutoincrement: false;
6491
+ hasRuntimeDefault: false;
6492
+ enumValues: [string, ...string[]];
6493
+ baseColumn: never;
6494
+ identity: undefined;
6495
+ generated: undefined;
6496
+ }, {}, {
6497
+ length: number | undefined;
6498
+ }>;
6499
+ userId: drizzle_orm_sqlite_core.SQLiteColumn<{
6500
+ name: "user_id";
6501
+ tableName: "kavach_jwt_refresh_tokens";
6502
+ dataType: "string";
6503
+ columnType: "SQLiteText";
6504
+ data: string;
6505
+ driverParam: string;
6506
+ notNull: true;
6507
+ hasDefault: false;
6508
+ isPrimaryKey: false;
6509
+ isAutoincrement: false;
6510
+ hasRuntimeDefault: false;
6511
+ enumValues: [string, ...string[]];
6512
+ baseColumn: never;
6513
+ identity: undefined;
6514
+ generated: undefined;
6515
+ }, {}, {
6516
+ length: number | undefined;
6517
+ }>;
6518
+ used: drizzle_orm_sqlite_core.SQLiteColumn<{
6519
+ name: "used";
6520
+ tableName: "kavach_jwt_refresh_tokens";
6521
+ dataType: "boolean";
6522
+ columnType: "SQLiteBoolean";
6523
+ data: boolean;
6524
+ driverParam: number;
6525
+ notNull: true;
6526
+ hasDefault: true;
6527
+ isPrimaryKey: false;
6528
+ isAutoincrement: false;
6529
+ hasRuntimeDefault: false;
6530
+ enumValues: undefined;
6531
+ baseColumn: never;
6532
+ identity: undefined;
6533
+ generated: undefined;
6534
+ }, {}, {}>;
6535
+ expiresAt: drizzle_orm_sqlite_core.SQLiteColumn<{
6536
+ name: "expires_at";
6537
+ tableName: "kavach_jwt_refresh_tokens";
6538
+ dataType: "date";
6539
+ columnType: "SQLiteTimestamp";
6540
+ data: Date;
6541
+ driverParam: number;
6542
+ notNull: true;
6543
+ hasDefault: false;
6544
+ isPrimaryKey: false;
6545
+ isAutoincrement: false;
6546
+ hasRuntimeDefault: false;
6547
+ enumValues: undefined;
6548
+ baseColumn: never;
6549
+ identity: undefined;
6550
+ generated: undefined;
6551
+ }, {}, {}>;
6552
+ createdAt: drizzle_orm_sqlite_core.SQLiteColumn<{
6553
+ name: "created_at";
6554
+ tableName: "kavach_jwt_refresh_tokens";
6555
+ dataType: "date";
6556
+ columnType: "SQLiteTimestamp";
6557
+ data: Date;
6558
+ driverParam: number;
6559
+ notNull: true;
6560
+ hasDefault: false;
6561
+ isPrimaryKey: false;
6562
+ isAutoincrement: false;
6563
+ hasRuntimeDefault: false;
6564
+ enumValues: undefined;
6565
+ baseColumn: never;
6566
+ identity: undefined;
6567
+ generated: undefined;
6568
+ }, {}, {}>;
6569
+ };
6570
+ dialect: "sqlite";
6571
+ }>;
6572
+ declare const rebacResources: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
6573
+ name: "kavach_rebac_resources";
6574
+ schema: undefined;
6575
+ columns: {
6576
+ id: drizzle_orm_sqlite_core.SQLiteColumn<{
6577
+ name: "id";
6578
+ tableName: "kavach_rebac_resources";
6579
+ dataType: "string";
6580
+ columnType: "SQLiteText";
6581
+ data: string;
6582
+ driverParam: string;
6583
+ notNull: true;
6584
+ hasDefault: false;
6585
+ isPrimaryKey: true;
6586
+ isAutoincrement: false;
6587
+ hasRuntimeDefault: false;
6588
+ enumValues: [string, ...string[]];
6589
+ baseColumn: never;
6590
+ identity: undefined;
6591
+ generated: undefined;
6592
+ }, {}, {
6593
+ length: number | undefined;
6594
+ }>;
6595
+ type: drizzle_orm_sqlite_core.SQLiteColumn<{
6596
+ name: "type";
6597
+ tableName: "kavach_rebac_resources";
6598
+ dataType: "string";
6599
+ columnType: "SQLiteText";
6600
+ data: string;
6601
+ driverParam: string;
6602
+ notNull: true;
6603
+ hasDefault: false;
6604
+ isPrimaryKey: false;
6605
+ isAutoincrement: false;
6606
+ hasRuntimeDefault: false;
6607
+ enumValues: [string, ...string[]];
6608
+ baseColumn: never;
6609
+ identity: undefined;
6610
+ generated: undefined;
6611
+ }, {}, {
6612
+ length: number | undefined;
6613
+ }>;
6614
+ parentId: drizzle_orm_sqlite_core.SQLiteColumn<{
6615
+ name: "parent_id";
6616
+ tableName: "kavach_rebac_resources";
6617
+ dataType: "string";
6618
+ columnType: "SQLiteText";
6619
+ data: string;
6620
+ driverParam: string;
6621
+ notNull: false;
6622
+ hasDefault: false;
6623
+ isPrimaryKey: false;
6624
+ isAutoincrement: false;
6625
+ hasRuntimeDefault: false;
6626
+ enumValues: [string, ...string[]];
6627
+ baseColumn: never;
6628
+ identity: undefined;
6629
+ generated: undefined;
6630
+ }, {}, {
6631
+ length: number | undefined;
6632
+ }>;
6633
+ parentType: drizzle_orm_sqlite_core.SQLiteColumn<{
6634
+ name: "parent_type";
6635
+ tableName: "kavach_rebac_resources";
6636
+ dataType: "string";
6637
+ columnType: "SQLiteText";
6638
+ data: string;
6639
+ driverParam: string;
6640
+ notNull: false;
6641
+ hasDefault: false;
6642
+ isPrimaryKey: false;
6643
+ isAutoincrement: false;
6644
+ hasRuntimeDefault: false;
6645
+ enumValues: [string, ...string[]];
6646
+ baseColumn: never;
6647
+ identity: undefined;
6648
+ generated: undefined;
6649
+ }, {}, {
6650
+ length: number | undefined;
6651
+ }>;
6652
+ createdAt: drizzle_orm_sqlite_core.SQLiteColumn<{
6653
+ name: "created_at";
6654
+ tableName: "kavach_rebac_resources";
6655
+ dataType: "date";
6656
+ columnType: "SQLiteTimestamp";
6657
+ data: Date;
6658
+ driverParam: number;
6659
+ notNull: true;
6660
+ hasDefault: false;
6661
+ isPrimaryKey: false;
6662
+ isAutoincrement: false;
6663
+ hasRuntimeDefault: false;
6664
+ enumValues: undefined;
6665
+ baseColumn: never;
6666
+ identity: undefined;
6667
+ generated: undefined;
6668
+ }, {}, {}>;
6669
+ };
6670
+ dialect: "sqlite";
6671
+ }>;
6672
+ declare const rebacRelationships: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
6673
+ name: "kavach_rebac_relationships";
6674
+ schema: undefined;
6675
+ columns: {
6676
+ id: drizzle_orm_sqlite_core.SQLiteColumn<{
6677
+ name: "id";
6678
+ tableName: "kavach_rebac_relationships";
6679
+ dataType: "string";
6680
+ columnType: "SQLiteText";
6681
+ data: string;
6682
+ driverParam: string;
6683
+ notNull: true;
6684
+ hasDefault: false;
6685
+ isPrimaryKey: true;
6686
+ isAutoincrement: false;
6687
+ hasRuntimeDefault: false;
6688
+ enumValues: [string, ...string[]];
6689
+ baseColumn: never;
6690
+ identity: undefined;
6691
+ generated: undefined;
6692
+ }, {}, {
6693
+ length: number | undefined;
6694
+ }>;
6695
+ subjectType: drizzle_orm_sqlite_core.SQLiteColumn<{
6696
+ name: "subject_type";
6697
+ tableName: "kavach_rebac_relationships";
6698
+ dataType: "string";
6699
+ columnType: "SQLiteText";
6700
+ data: string;
6701
+ driverParam: string;
6702
+ notNull: true;
6703
+ hasDefault: false;
6704
+ isPrimaryKey: false;
6705
+ isAutoincrement: false;
6706
+ hasRuntimeDefault: false;
6707
+ enumValues: [string, ...string[]];
6708
+ baseColumn: never;
6709
+ identity: undefined;
6710
+ generated: undefined;
6711
+ }, {}, {
6712
+ length: number | undefined;
6713
+ }>;
6714
+ subjectId: drizzle_orm_sqlite_core.SQLiteColumn<{
6715
+ name: "subject_id";
6716
+ tableName: "kavach_rebac_relationships";
6717
+ dataType: "string";
6718
+ columnType: "SQLiteText";
6719
+ data: string;
6720
+ driverParam: string;
6721
+ notNull: true;
6722
+ hasDefault: false;
6723
+ isPrimaryKey: false;
6724
+ isAutoincrement: false;
6725
+ hasRuntimeDefault: false;
6726
+ enumValues: [string, ...string[]];
6727
+ baseColumn: never;
6728
+ identity: undefined;
6729
+ generated: undefined;
6730
+ }, {}, {
6731
+ length: number | undefined;
6732
+ }>;
6733
+ relation: drizzle_orm_sqlite_core.SQLiteColumn<{
6734
+ name: "relation";
6735
+ tableName: "kavach_rebac_relationships";
6736
+ dataType: "string";
6737
+ columnType: "SQLiteText";
6738
+ data: string;
6739
+ driverParam: string;
6740
+ notNull: true;
6741
+ hasDefault: false;
6742
+ isPrimaryKey: false;
6743
+ isAutoincrement: false;
6744
+ hasRuntimeDefault: false;
6745
+ enumValues: [string, ...string[]];
6746
+ baseColumn: never;
6747
+ identity: undefined;
6748
+ generated: undefined;
6749
+ }, {}, {
6750
+ length: number | undefined;
6751
+ }>;
6752
+ objectType: drizzle_orm_sqlite_core.SQLiteColumn<{
6753
+ name: "object_type";
6754
+ tableName: "kavach_rebac_relationships";
6755
+ dataType: "string";
6756
+ columnType: "SQLiteText";
6757
+ data: string;
6758
+ driverParam: string;
6759
+ notNull: true;
6760
+ hasDefault: false;
6761
+ isPrimaryKey: false;
6762
+ isAutoincrement: false;
6763
+ hasRuntimeDefault: false;
6764
+ enumValues: [string, ...string[]];
6765
+ baseColumn: never;
6766
+ identity: undefined;
6767
+ generated: undefined;
6768
+ }, {}, {
6769
+ length: number | undefined;
6770
+ }>;
6771
+ objectId: drizzle_orm_sqlite_core.SQLiteColumn<{
6772
+ name: "object_id";
6773
+ tableName: "kavach_rebac_relationships";
6774
+ dataType: "string";
6775
+ columnType: "SQLiteText";
6776
+ data: string;
6777
+ driverParam: string;
6778
+ notNull: true;
6779
+ hasDefault: false;
6780
+ isPrimaryKey: false;
6781
+ isAutoincrement: false;
6782
+ hasRuntimeDefault: false;
6783
+ enumValues: [string, ...string[]];
6784
+ baseColumn: never;
6785
+ identity: undefined;
6786
+ generated: undefined;
6787
+ }, {}, {
6788
+ length: number | undefined;
6789
+ }>;
6790
+ createdAt: drizzle_orm_sqlite_core.SQLiteColumn<{
6791
+ name: "created_at";
6792
+ tableName: "kavach_rebac_relationships";
6793
+ dataType: "date";
6794
+ columnType: "SQLiteTimestamp";
6795
+ data: Date;
6796
+ driverParam: number;
6797
+ notNull: true;
6798
+ hasDefault: false;
6799
+ isPrimaryKey: false;
6800
+ isAutoincrement: false;
6801
+ hasRuntimeDefault: false;
6802
+ enumValues: undefined;
6803
+ baseColumn: never;
6804
+ identity: undefined;
6805
+ generated: undefined;
6806
+ }, {}, {}>;
6807
+ };
6808
+ dialect: "sqlite";
6809
+ }>;
6810
+ declare const federationInstances: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
6811
+ name: "kavach_federation_instances";
6812
+ schema: undefined;
6813
+ columns: {
6814
+ id: drizzle_orm_sqlite_core.SQLiteColumn<{
6815
+ name: "id";
6816
+ tableName: "kavach_federation_instances";
6817
+ dataType: "string";
6818
+ columnType: "SQLiteText";
6819
+ data: string;
6820
+ driverParam: string;
6821
+ notNull: true;
6822
+ hasDefault: false;
6823
+ isPrimaryKey: true;
6824
+ isAutoincrement: false;
6825
+ hasRuntimeDefault: false;
6826
+ enumValues: [string, ...string[]];
6827
+ baseColumn: never;
6828
+ identity: undefined;
6829
+ generated: undefined;
6830
+ }, {}, {
6831
+ length: number | undefined;
6832
+ }>;
6833
+ instanceId: drizzle_orm_sqlite_core.SQLiteColumn<{
6834
+ name: "instance_id";
6835
+ tableName: "kavach_federation_instances";
6836
+ dataType: "string";
6837
+ columnType: "SQLiteText";
6838
+ data: string;
6839
+ driverParam: string;
6840
+ notNull: true;
6841
+ hasDefault: false;
6842
+ isPrimaryKey: false;
6843
+ isAutoincrement: false;
6844
+ hasRuntimeDefault: false;
6845
+ enumValues: [string, ...string[]];
6846
+ baseColumn: never;
6847
+ identity: undefined;
6848
+ generated: undefined;
6849
+ }, {}, {
6850
+ length: number | undefined;
6851
+ }>;
6852
+ instanceUrl: drizzle_orm_sqlite_core.SQLiteColumn<{
6853
+ name: "instance_url";
6854
+ tableName: "kavach_federation_instances";
6855
+ dataType: "string";
6856
+ columnType: "SQLiteText";
6857
+ data: string;
6858
+ driverParam: string;
6859
+ notNull: true;
6860
+ hasDefault: false;
6861
+ isPrimaryKey: false;
6862
+ isAutoincrement: false;
6863
+ hasRuntimeDefault: false;
6864
+ enumValues: [string, ...string[]];
6865
+ baseColumn: never;
6866
+ identity: undefined;
6867
+ generated: undefined;
6868
+ }, {}, {
6869
+ length: number | undefined;
6870
+ }>;
6871
+ publicKeyJwk: drizzle_orm_sqlite_core.SQLiteColumn<{
6872
+ name: "public_key_jwk";
6873
+ tableName: "kavach_federation_instances";
6874
+ dataType: "string";
6875
+ columnType: "SQLiteText";
6876
+ data: string;
6877
+ driverParam: string;
6878
+ notNull: false;
6879
+ hasDefault: false;
6880
+ isPrimaryKey: false;
6881
+ isAutoincrement: false;
6882
+ hasRuntimeDefault: false;
6883
+ enumValues: [string, ...string[]];
6884
+ baseColumn: never;
6885
+ identity: undefined;
6886
+ generated: undefined;
6887
+ }, {}, {
6888
+ length: number | undefined;
6889
+ }>;
6890
+ trustLevel: drizzle_orm_sqlite_core.SQLiteColumn<{
6891
+ name: "trust_level";
6892
+ tableName: "kavach_federation_instances";
6893
+ dataType: "string";
6894
+ columnType: "SQLiteText";
6895
+ data: "limited" | "full" | "verify-only";
6896
+ driverParam: string;
6897
+ notNull: true;
6898
+ hasDefault: true;
6899
+ isPrimaryKey: false;
6900
+ isAutoincrement: false;
6901
+ hasRuntimeDefault: false;
6902
+ enumValues: ["full", "limited", "verify-only"];
6903
+ baseColumn: never;
6904
+ identity: undefined;
6905
+ generated: undefined;
6906
+ }, {}, {
6907
+ length: number | undefined;
6908
+ }>;
6909
+ discoveredAt: drizzle_orm_sqlite_core.SQLiteColumn<{
6910
+ name: "discovered_at";
6911
+ tableName: "kavach_federation_instances";
6912
+ dataType: "date";
6913
+ columnType: "SQLiteTimestamp";
6914
+ data: Date;
6915
+ driverParam: number;
6916
+ notNull: false;
6917
+ hasDefault: false;
6918
+ isPrimaryKey: false;
6919
+ isAutoincrement: false;
6920
+ hasRuntimeDefault: false;
6921
+ enumValues: undefined;
6922
+ baseColumn: never;
6923
+ identity: undefined;
6924
+ generated: undefined;
6925
+ }, {}, {}>;
6926
+ createdAt: drizzle_orm_sqlite_core.SQLiteColumn<{
6927
+ name: "created_at";
6928
+ tableName: "kavach_federation_instances";
6929
+ dataType: "date";
6930
+ columnType: "SQLiteTimestamp";
6931
+ data: Date;
6932
+ driverParam: number;
6933
+ notNull: true;
6934
+ hasDefault: false;
6935
+ isPrimaryKey: false;
6936
+ isAutoincrement: false;
6937
+ hasRuntimeDefault: false;
6938
+ enumValues: undefined;
6939
+ baseColumn: never;
6940
+ identity: undefined;
6941
+ generated: undefined;
6942
+ }, {}, {}>;
6943
+ updatedAt: drizzle_orm_sqlite_core.SQLiteColumn<{
6944
+ name: "updated_at";
6945
+ tableName: "kavach_federation_instances";
6946
+ dataType: "date";
6947
+ columnType: "SQLiteTimestamp";
6948
+ data: Date;
6949
+ driverParam: number;
6950
+ notNull: true;
6951
+ hasDefault: false;
6952
+ isPrimaryKey: false;
6953
+ isAutoincrement: false;
6954
+ hasRuntimeDefault: false;
6955
+ enumValues: undefined;
6956
+ baseColumn: never;
6957
+ identity: undefined;
6958
+ generated: undefined;
6959
+ }, {}, {}>;
6960
+ };
6961
+ dialect: "sqlite";
6962
+ }>;
6963
+ declare const federationTokens: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
6964
+ name: "kavach_federation_tokens";
6965
+ schema: undefined;
6966
+ columns: {
6967
+ id: drizzle_orm_sqlite_core.SQLiteColumn<{
6968
+ name: "id";
6969
+ tableName: "kavach_federation_tokens";
6970
+ dataType: "string";
6971
+ columnType: "SQLiteText";
6972
+ data: string;
6973
+ driverParam: string;
6974
+ notNull: true;
6975
+ hasDefault: false;
6976
+ isPrimaryKey: true;
6977
+ isAutoincrement: false;
6978
+ hasRuntimeDefault: false;
6979
+ enumValues: [string, ...string[]];
6980
+ baseColumn: never;
6981
+ identity: undefined;
6982
+ generated: undefined;
6983
+ }, {}, {
6984
+ length: number | undefined;
6985
+ }>;
6986
+ tokenJti: drizzle_orm_sqlite_core.SQLiteColumn<{
6987
+ name: "token_jti";
6988
+ tableName: "kavach_federation_tokens";
6989
+ dataType: "string";
6990
+ columnType: "SQLiteText";
6991
+ data: string;
6992
+ driverParam: string;
6993
+ notNull: true;
6994
+ hasDefault: false;
6995
+ isPrimaryKey: false;
6996
+ isAutoincrement: false;
6997
+ hasRuntimeDefault: false;
6998
+ enumValues: [string, ...string[]];
6999
+ baseColumn: never;
7000
+ identity: undefined;
7001
+ generated: undefined;
7002
+ }, {}, {
7003
+ length: number | undefined;
7004
+ }>;
7005
+ agentId: drizzle_orm_sqlite_core.SQLiteColumn<{
7006
+ name: "agent_id";
7007
+ tableName: "kavach_federation_tokens";
7008
+ dataType: "string";
7009
+ columnType: "SQLiteText";
7010
+ data: string;
7011
+ driverParam: string;
7012
+ notNull: true;
7013
+ hasDefault: false;
7014
+ isPrimaryKey: false;
7015
+ isAutoincrement: false;
7016
+ hasRuntimeDefault: false;
7017
+ enumValues: [string, ...string[]];
7018
+ baseColumn: never;
7019
+ identity: undefined;
7020
+ generated: undefined;
7021
+ }, {}, {
7022
+ length: number | undefined;
7023
+ }>;
7024
+ sourceInstanceId: drizzle_orm_sqlite_core.SQLiteColumn<{
7025
+ name: "source_instance_id";
7026
+ tableName: "kavach_federation_tokens";
7027
+ dataType: "string";
7028
+ columnType: "SQLiteText";
7029
+ data: string;
7030
+ driverParam: string;
7031
+ notNull: true;
7032
+ hasDefault: false;
7033
+ isPrimaryKey: false;
7034
+ isAutoincrement: false;
7035
+ hasRuntimeDefault: false;
7036
+ enumValues: [string, ...string[]];
7037
+ baseColumn: never;
7038
+ identity: undefined;
7039
+ generated: undefined;
7040
+ }, {}, {
7041
+ length: number | undefined;
7042
+ }>;
7043
+ targetInstanceId: drizzle_orm_sqlite_core.SQLiteColumn<{
7044
+ name: "target_instance_id";
7045
+ tableName: "kavach_federation_tokens";
7046
+ dataType: "string";
7047
+ columnType: "SQLiteText";
7048
+ data: string;
7049
+ driverParam: string;
7050
+ notNull: false;
7051
+ hasDefault: false;
7052
+ isPrimaryKey: false;
7053
+ isAutoincrement: false;
7054
+ hasRuntimeDefault: false;
7055
+ enumValues: [string, ...string[]];
7056
+ baseColumn: never;
7057
+ identity: undefined;
7058
+ generated: undefined;
7059
+ }, {}, {
7060
+ length: number | undefined;
7061
+ }>;
7062
+ direction: drizzle_orm_sqlite_core.SQLiteColumn<{
7063
+ name: "direction";
7064
+ tableName: "kavach_federation_tokens";
7065
+ dataType: "string";
7066
+ columnType: "SQLiteText";
7067
+ data: "issued" | "received";
7068
+ driverParam: string;
7069
+ notNull: true;
7070
+ hasDefault: false;
7071
+ isPrimaryKey: false;
7072
+ isAutoincrement: false;
7073
+ hasRuntimeDefault: false;
7074
+ enumValues: ["issued", "received"];
7075
+ baseColumn: never;
7076
+ identity: undefined;
7077
+ generated: undefined;
7078
+ }, {}, {
7079
+ length: number | undefined;
7080
+ }>;
7081
+ permissions: drizzle_orm_sqlite_core.SQLiteColumn<{
7082
+ name: "permissions";
7083
+ tableName: "kavach_federation_tokens";
7084
+ dataType: "json";
7085
+ columnType: "SQLiteTextJson";
7086
+ data: string[];
7087
+ driverParam: string;
7088
+ notNull: true;
7089
+ hasDefault: false;
7090
+ isPrimaryKey: false;
7091
+ isAutoincrement: false;
7092
+ hasRuntimeDefault: false;
7093
+ enumValues: undefined;
7094
+ baseColumn: never;
7095
+ identity: undefined;
7096
+ generated: undefined;
7097
+ }, {}, {
7098
+ $type: string[];
7099
+ }>;
7100
+ trustScore: drizzle_orm_sqlite_core.SQLiteColumn<{
7101
+ name: "trust_score";
7102
+ tableName: "kavach_federation_tokens";
7103
+ dataType: "number";
7104
+ columnType: "SQLiteInteger";
7105
+ data: number;
7106
+ driverParam: number;
7107
+ notNull: false;
7108
+ hasDefault: false;
7109
+ isPrimaryKey: false;
7110
+ isAutoincrement: false;
7111
+ hasRuntimeDefault: false;
7112
+ enumValues: undefined;
7113
+ baseColumn: never;
7114
+ identity: undefined;
7115
+ generated: undefined;
7116
+ }, {}, {}>;
7117
+ expiresAt: drizzle_orm_sqlite_core.SQLiteColumn<{
7118
+ name: "expires_at";
7119
+ tableName: "kavach_federation_tokens";
7120
+ dataType: "date";
7121
+ columnType: "SQLiteTimestamp";
7122
+ data: Date;
7123
+ driverParam: number;
7124
+ notNull: true;
7125
+ hasDefault: false;
7126
+ isPrimaryKey: false;
7127
+ isAutoincrement: false;
7128
+ hasRuntimeDefault: false;
7129
+ enumValues: undefined;
7130
+ baseColumn: never;
7131
+ identity: undefined;
7132
+ generated: undefined;
7133
+ }, {}, {}>;
7134
+ createdAt: drizzle_orm_sqlite_core.SQLiteColumn<{
7135
+ name: "created_at";
7136
+ tableName: "kavach_federation_tokens";
7137
+ dataType: "date";
7138
+ columnType: "SQLiteTimestamp";
7139
+ data: Date;
7140
+ driverParam: number;
7141
+ notNull: true;
7142
+ hasDefault: false;
7143
+ isPrimaryKey: false;
7144
+ isAutoincrement: false;
7145
+ hasRuntimeDefault: false;
7146
+ enumValues: undefined;
7147
+ baseColumn: never;
7148
+ identity: undefined;
7149
+ generated: undefined;
7150
+ }, {}, {}>;
7151
+ };
7152
+ dialect: "sqlite";
7153
+ }>;
7154
+
7155
+ declare const schema_agentCards: typeof agentCards;
7156
+ declare const schema_agentDids: typeof agentDids;
7157
+ declare const schema_agents: typeof agents;
7158
+ declare const schema_apiKeys: typeof apiKeys;
7159
+ declare const schema_approvalRequests: typeof approvalRequests;
7160
+ declare const schema_auditLogs: typeof auditLogs;
7161
+ declare const schema_budgetPolicies: typeof budgetPolicies;
7162
+ declare const schema_costEvents: typeof costEvents;
7163
+ declare const schema_delegationChains: typeof delegationChains;
7164
+ declare const schema_emailOtps: typeof emailOtps;
7165
+ declare const schema_ephemeralSessions: typeof ephemeralSessions;
7166
+ declare const schema_federationInstances: typeof federationInstances;
7167
+ declare const schema_federationTokens: typeof federationTokens;
7168
+ declare const schema_jwtRefreshTokens: typeof jwtRefreshTokens;
7169
+ declare const schema_loginHistory: typeof loginHistory;
7170
+ declare const schema_magicLinks: typeof magicLinks;
7171
+ declare const schema_mcpServers: typeof mcpServers;
7172
+ declare const schema_oauthAccessTokens: typeof oauthAccessTokens;
7173
+ declare const schema_oauthAuthorizationCodes: typeof oauthAuthorizationCodes;
7174
+ declare const schema_oauthClients: typeof oauthClients;
7175
+ declare const schema_oidcAuthCodes: typeof oidcAuthCodes;
7176
+ declare const schema_oidcClients: typeof oidcClients;
7177
+ declare const schema_oidcRefreshTokens: typeof oidcRefreshTokens;
7178
+ declare const schema_oneTimeTokens: typeof oneTimeTokens;
7179
+ declare const schema_orgInvitations: typeof orgInvitations;
7180
+ declare const schema_orgMembers: typeof orgMembers;
7181
+ declare const schema_orgRoles: typeof orgRoles;
7182
+ declare const schema_organizations: typeof organizations;
7183
+ declare const schema_passkeyChallenges: typeof passkeyChallenges;
7184
+ declare const schema_passkeyCredentials: typeof passkeyCredentials;
7185
+ declare const schema_permissions: typeof permissions;
7186
+ declare const schema_phoneVerifications: typeof phoneVerifications;
7187
+ declare const schema_rateLimits: typeof rateLimits;
7188
+ declare const schema_rebacRelationships: typeof rebacRelationships;
7189
+ declare const schema_rebacResources: typeof rebacResources;
7190
+ declare const schema_sessions: typeof sessions;
7191
+ declare const schema_ssoConnections: typeof ssoConnections;
7192
+ declare const schema_streamEvents: typeof streamEvents;
7193
+ declare const schema_tenants: typeof tenants;
7194
+ declare const schema_totpRecords: typeof totpRecords;
7195
+ declare const schema_trustScores: typeof trustScores;
7196
+ declare const schema_trustedDevices: typeof trustedDevices;
7197
+ declare const schema_usernameAccounts: typeof usernameAccounts;
7198
+ declare const schema_users: typeof users;
7199
+ declare namespace schema {
7200
+ export { schema_agentCards as agentCards, schema_agentDids as agentDids, schema_agents as agents, schema_apiKeys as apiKeys, schema_approvalRequests as approvalRequests, schema_auditLogs as auditLogs, schema_budgetPolicies as budgetPolicies, schema_costEvents as costEvents, schema_delegationChains as delegationChains, schema_emailOtps as emailOtps, schema_ephemeralSessions as ephemeralSessions, schema_federationInstances as federationInstances, schema_federationTokens as federationTokens, schema_jwtRefreshTokens as jwtRefreshTokens, schema_loginHistory as loginHistory, schema_magicLinks as magicLinks, schema_mcpServers as mcpServers, schema_oauthAccessTokens as oauthAccessTokens, schema_oauthAuthorizationCodes as oauthAuthorizationCodes, schema_oauthClients as oauthClients, schema_oidcAuthCodes as oidcAuthCodes, schema_oidcClients as oidcClients, schema_oidcRefreshTokens as oidcRefreshTokens, schema_oneTimeTokens as oneTimeTokens, schema_orgInvitations as orgInvitations, schema_orgMembers as orgMembers, schema_orgRoles as orgRoles, schema_organizations as organizations, schema_passkeyChallenges as passkeyChallenges, schema_passkeyCredentials as passkeyCredentials, schema_permissions as permissions, schema_phoneVerifications as phoneVerifications, schema_rateLimits as rateLimits, schema_rebacRelationships as rebacRelationships, schema_rebacResources as rebacResources, schema_sessions as sessions, schema_ssoConnections as ssoConnections, schema_streamEvents as streamEvents, schema_tenants as tenants, schema_totpRecords as totpRecords, schema_trustScores as trustScores, schema_trustedDevices as trustedDevices, schema_usernameAccounts as usernameAccounts, schema_users as users };
7201
+ }
7202
+
7203
+ /** Minimal Cloudflare D1 interface for type compatibility */
7204
+ interface D1DatabaseBinding {
7205
+ prepare(query: string): D1PreparedStatement;
7206
+ batch<T = unknown>(statements: D1PreparedStatement[]): Promise<D1Result<T>[]>;
7207
+ exec(query: string): Promise<D1ExecResult>;
7208
+ }
7209
+ interface D1PreparedStatement {
7210
+ bind(...values: unknown[]): D1PreparedStatement;
7211
+ first<T = unknown>(colName?: string): Promise<T | null>;
7212
+ run<T = unknown>(): Promise<D1Result<T>>;
7213
+ all<T = unknown>(): Promise<D1Result<T>>;
7214
+ raw<T = unknown>(): Promise<T[]>;
7215
+ }
7216
+ interface D1Result<T = unknown> {
7217
+ results: T[];
7218
+ success: boolean;
7219
+ meta: Record<string, unknown>;
7220
+ }
7221
+ interface D1ExecResult {
7222
+ count: number;
7223
+ duration: number;
6097
7224
  }
7225
+ /**
7226
+ * The fully-typed SQLite Drizzle database.
7227
+ * Postgres and MySQL connections are represented as `AnyDatabase` at the
7228
+ * adapter boundary because drizzle-orm exposes separate schema builders
7229
+ * (pg-core / mysql-core) that are incompatible with the SQLite schema
7230
+ * defined in schema.ts. Full multi-dialect Drizzle schema support is
7231
+ * planned for v0.2.0.
7232
+ */
7233
+ type Database = BaseSQLiteDatabase<"sync" | "async", Record<string, unknown>, typeof schema>;
7234
+ type DatabaseConfig = {
7235
+ provider: "sqlite" | "postgres" | "mysql";
7236
+ /** Connection URL. Required for sqlite, postgres, and mysql. */
7237
+ url: string;
7238
+ /** Skip automatic table creation on init (default: false) */
7239
+ skipMigrations?: boolean;
7240
+ } | {
7241
+ provider: "d1";
7242
+ /** Cloudflare D1 binding from the Worker environment. Required when provider is "d1". */
7243
+ binding: D1DatabaseBinding;
7244
+ /** Skip automatic table creation on init (default: false) */
7245
+ skipMigrations?: boolean;
7246
+ };
6098
7247
  /**
6099
7248
  * Create a database connection.
6100
7249
  *
6101
7250
  * - **SQLite** – fully typed Drizzle ORM via `better-sqlite3` (current default).
6102
7251
  * - **Postgres** – Drizzle connection via `drizzle-orm/node-postgres` + `pg` (peer dep).
6103
7252
  * - **MySQL** – Drizzle connection via `drizzle-orm/mysql2` + `mysql2` (peer dep).
7253
+ * - **D1** – Drizzle connection via `drizzle-orm/d1` for Cloudflare Workers (peer dep).
6104
7254
  *
6105
- * For Postgres and MySQL the return value is typed as `Database` for source
7255
+ * For Postgres, MySQL, and D1 the return value is typed as `Database` for source
6106
7256
  * compatibility; the underlying Drizzle instance is created against the
6107
7257
  * correct driver. Full pg-core / mysql-core schema typings are planned for v0.2.0.
6108
7258
  */
6109
- declare function createDatabase(config: DatabaseConfig$1): Promise<Database>;
7259
+ declare function createDatabase(config: DatabaseConfig): Promise<Database>;
6110
7260
  /**
6111
7261
  * Synchronous SQLite-only factory kept for backwards compatibility with code
6112
7262
  * that cannot use async initialisation. Throws if a non-SQLite provider is
@@ -6114,7 +7264,7 @@ declare function createDatabase(config: DatabaseConfig$1): Promise<Database>;
6114
7264
  *
6115
7265
  * @deprecated Prefer the async `createDatabase()` which supports all providers.
6116
7266
  */
6117
- declare function createDatabaseSync(config: DatabaseConfig$1): Database;
7267
+ declare function createDatabaseSync(config: DatabaseConfig): Database;
6118
7268
 
6119
7269
  interface AgentConfig {
6120
7270
  /** Enable agent identity management */
@@ -6538,6 +7688,199 @@ interface EmailOtpModule {
6538
7688
  }
6539
7689
  declare function createEmailOtpModule(config: EmailOtpConfig, db: Database, sessionManager: SessionManager): EmailOtpModule;
6540
7690
 
7691
+ /**
7692
+ * One-time token module for KavachOS.
7693
+ *
7694
+ * Issues single-use tokens for email verification, password resets,
7695
+ * invitations, and custom flows. The raw token is returned to the caller
7696
+ * once and never persisted — only a SHA-256 hash is stored. Tokens are
7697
+ * invalidated on first use or when they expire.
7698
+ *
7699
+ * @example
7700
+ * ```typescript
7701
+ * const tokens = createOneTimeTokenModule({}, db);
7702
+ *
7703
+ * // Create a password-reset token
7704
+ * const result = await tokens.createToken({
7705
+ * purpose: 'password-reset',
7706
+ * identifier: 'alice@example.com',
7707
+ * ttlSeconds: 1800,
7708
+ * });
7709
+ * if (result.success) {
7710
+ * await mailer.send({ to: 'alice@example.com', token: result.data.token });
7711
+ * }
7712
+ *
7713
+ * // Validate (and consume) on the reset page
7714
+ * const validation = await tokens.validateToken(incomingToken, 'password-reset');
7715
+ * if (validation.success) {
7716
+ * // validation.data.identifier === 'alice@example.com'
7717
+ * }
7718
+ * ```
7719
+ */
7720
+
7721
+ /** Token purpose discriminator. Use 'custom' for any application-specific flow. */
7722
+ type OneTimeTokenPurpose = "email-verify" | "password-reset" | "invitation" | "custom";
7723
+ interface OneTimeTokenConfig {
7724
+ /** Default TTL in seconds when none is specified per-call. Default: 3600 (1 hour). */
7725
+ defaultTtlSeconds?: number;
7726
+ }
7727
+ interface CreateTokenInput {
7728
+ purpose: OneTimeTokenPurpose;
7729
+ /** Email address, user ID, or any caller-supplied key that scopes the token. */
7730
+ identifier: string;
7731
+ /** Arbitrary data to associate with the token (e.g. org ID, invited role). */
7732
+ metadata?: Record<string, unknown>;
7733
+ /** Override the module-level default TTL for this token only. */
7734
+ ttlSeconds?: number;
7735
+ }
7736
+ interface ValidateTokenResult {
7737
+ identifier: string;
7738
+ metadata?: Record<string, unknown>;
7739
+ }
7740
+ interface RevokeTokensResult {
7741
+ count: number;
7742
+ }
7743
+ interface OneTimeTokenModule {
7744
+ /**
7745
+ * Create a new one-time token.
7746
+ *
7747
+ * Returns the raw token (hex string) exactly once. Store it in your email
7748
+ * or link — it cannot be recovered from the database afterwards.
7749
+ */
7750
+ createToken(input: CreateTokenInput): Promise<Result<{
7751
+ token: string;
7752
+ expiresAt: Date;
7753
+ }>>;
7754
+ /**
7755
+ * Validate a token and mark it as used.
7756
+ *
7757
+ * Fails when the token is unknown, already used, expired, or belongs to a
7758
+ * different purpose. On success the token is consumed immediately.
7759
+ */
7760
+ validateToken(token: string, purpose: string): Promise<Result<ValidateTokenResult>>;
7761
+ /**
7762
+ * Revoke all active tokens for an identifier, optionally scoped to a purpose.
7763
+ *
7764
+ * Useful for invalidating outstanding password-reset links when a user
7765
+ * changes their password through another flow, or for cleaning up on account
7766
+ * deletion.
7767
+ */
7768
+ revokeTokens(identifier: string, purpose?: string): Promise<Result<RevokeTokensResult>>;
7769
+ }
7770
+ /**
7771
+ * Create a one-time token module backed by the provided database.
7772
+ *
7773
+ * The module is stateless — no in-memory caches — so multiple instances
7774
+ * sharing the same database are safe.
7775
+ */
7776
+ declare function createOneTimeTokenModule(config: OneTimeTokenConfig, db: Database): OneTimeTokenModule;
7777
+
7778
+ /**
7779
+ * Email verification module for KavachOS.
7780
+ *
7781
+ * Handles the full email address verification flow: generating single-use
7782
+ * tokens, sending verification emails, and marking user addresses as verified
7783
+ * in the database. Composes the one-time token module so tokens are stored as
7784
+ * SHA-256 hashes and consumed on first use.
7785
+ *
7786
+ * Security properties:
7787
+ * - Tokens are 256-bit random, stored as SHA-256 hashes (never in plaintext).
7788
+ * - Single-use: consumed on first validation.
7789
+ * - Configurable TTL (default 24 hours).
7790
+ * - Outstanding verify tokens are revoked after successful verification.
7791
+ * - Sending to an already-verified address returns success without sending.
7792
+ *
7793
+ * @example
7794
+ * ```typescript
7795
+ * const kavach = await createKavach({
7796
+ * database: { provider: 'sqlite', url: 'kavach.db' },
7797
+ * auth: { session: { secret: process.env.SESSION_SECRET } },
7798
+ * emailVerification: {
7799
+ * sendVerificationEmail: async (email, token, verifyUrl) => {
7800
+ * await resend.emails.send({
7801
+ * to: email,
7802
+ * subject: 'Verify your email',
7803
+ * html: `<a href="${verifyUrl}">Verify email</a>`,
7804
+ * });
7805
+ * },
7806
+ * verifyUrl: 'https://app.example.com/verify-email',
7807
+ * },
7808
+ * });
7809
+ *
7810
+ * // Send verification email
7811
+ * await kavach.emailVerification.sendVerification(userId, 'alice@example.com');
7812
+ *
7813
+ * // Verify the token from the link
7814
+ * const result = await kavach.emailVerification.verify(token);
7815
+ * if (result.success) console.log('Verified:', result.data.userId);
7816
+ * ```
7817
+ */
7818
+
7819
+ interface EmailVerificationConfig {
7820
+ /**
7821
+ * Callback to send the verification email.
7822
+ *
7823
+ * KavachOS generates the token and constructs the verify URL. Your job is
7824
+ * to deliver it (Resend, SES, SMTP, Postmark, whatever you use).
7825
+ */
7826
+ sendVerificationEmail: (email: string, token: string, verifyUrl: string) => Promise<void>;
7827
+ /**
7828
+ * Base URL for the verify page in your app.
7829
+ *
7830
+ * The token is appended as `?token=<token>`. Example:
7831
+ * `https://app.example.com/verify-email` produces
7832
+ * `https://app.example.com/verify-email?token=abc123...`
7833
+ */
7834
+ verifyUrl: string;
7835
+ /**
7836
+ * Token TTL in seconds. Default: 86400 (24 hours).
7837
+ */
7838
+ tokenTtlSeconds?: number;
7839
+ /**
7840
+ * When true, call `sendVerification` automatically after sign-up.
7841
+ * Default: false.
7842
+ *
7843
+ * The caller is still responsible for calling `sendVerification` directly
7844
+ * if this is false. This flag is informational — KavachOS uses it to
7845
+ * signal intent to integrations (e.g. the username module).
7846
+ */
7847
+ autoVerifyOnSignUp?: boolean;
7848
+ }
7849
+ interface EmailVerificationModule {
7850
+ /**
7851
+ * Create a verification token and send the verification email.
7852
+ *
7853
+ * Returns `{ sent: true }` when the email was dispatched.
7854
+ * Returns `{ sent: false }` when the email is already verified — no
7855
+ * email is sent and no token is created in that case.
7856
+ */
7857
+ sendVerification(userId: string, email: string): Promise<Result<{
7858
+ sent: boolean;
7859
+ }>>;
7860
+ /**
7861
+ * Validate a verification token and mark the user's email as verified.
7862
+ *
7863
+ * The token is consumed on success. All outstanding verify tokens for
7864
+ * the address are revoked after successful verification.
7865
+ */
7866
+ verify(token: string): Promise<Result<{
7867
+ userId: string;
7868
+ email: string;
7869
+ }>>;
7870
+ /**
7871
+ * Check whether a user's email address has been verified.
7872
+ */
7873
+ isVerified(userId: string): Promise<boolean>;
7874
+ /**
7875
+ * Handle HTTP requests for email verification endpoints.
7876
+ *
7877
+ * - POST /auth/verify-email/send — { userId, email }
7878
+ * - POST /auth/verify-email/confirm — { token }
7879
+ */
7880
+ handleRequest(request: Request): Promise<Response | null>;
7881
+ }
7882
+ declare function createEmailVerificationModule(config: EmailVerificationConfig, db: Database, tokenModule: OneTimeTokenModule): EmailVerificationModule;
7883
+
6541
7884
  /**
6542
7885
  * Magic link authentication for KavachOS.
6543
7886
  *
@@ -6702,7 +8045,7 @@ declare function createOrgModule(config: OrgConfig, db: Database): OrgModule;
6702
8045
  * Passkey / WebAuthn authentication for KavachOS.
6703
8046
  *
6704
8047
  * Implements server-side WebAuthn (Level 2) without external libraries.
6705
- * Uses Web Crypto API (via node:crypto's webcrypto) for signature verification
8048
+ * Uses the Web Crypto API for signature verification
6706
8049
  * and a minimal CBOR decoder for attestation object parsing.
6707
8050
  *
6708
8051
  * Flow:
@@ -6814,6 +8157,121 @@ interface PasskeyModule {
6814
8157
  }
6815
8158
  declare function createPasskeyModule(config: PasskeyConfig, db: Database): PasskeyModule;
6816
8159
 
8160
+ /**
8161
+ * Password reset module for KavachOS.
8162
+ *
8163
+ * Composes the one-time token module with the username auth module to provide
8164
+ * a complete forgot-password and reset-password flow. The caller supplies an
8165
+ * email-sending callback; KavachOS handles token generation, validation,
8166
+ * password hashing, and session revocation.
8167
+ *
8168
+ * Security properties:
8169
+ * - Tokens are 256-bit random, stored as SHA-256 hashes (never in plaintext).
8170
+ * - Single-use: consumed on first validation.
8171
+ * - Configurable TTL (default 1 hour).
8172
+ * - All existing sessions are revoked on successful reset.
8173
+ * - Email enumeration resistant: always returns success, even for unknown emails.
8174
+ * - Outstanding reset tokens are revoked when a new one is requested.
8175
+ *
8176
+ * @example
8177
+ * ```typescript
8178
+ * const kavach = await createKavach({
8179
+ * database: { provider: 'sqlite', url: 'kavach.db' },
8180
+ * auth: { session: { secret: process.env.SESSION_SECRET } },
8181
+ * username: { password: { minLength: 8 } },
8182
+ * passwordReset: {
8183
+ * sendResetEmail: async (email, token, resetUrl) => {
8184
+ * await resend.emails.send({
8185
+ * to: email,
8186
+ * subject: 'Reset your password',
8187
+ * html: `<a href="${resetUrl}">Reset password</a>`,
8188
+ * });
8189
+ * },
8190
+ * resetUrl: 'https://app.example.com/reset-password',
8191
+ * },
8192
+ * });
8193
+ *
8194
+ * // Forgot password (always succeeds — no email enumeration)
8195
+ * await kavach.passwordReset.requestReset('alice@example.com');
8196
+ *
8197
+ * // Reset password (from the link in the email)
8198
+ * const result = await kavach.passwordReset.resetPassword(token, 'new-password-123');
8199
+ * ```
8200
+ */
8201
+
8202
+ interface PasswordResetConfig {
8203
+ /**
8204
+ * Callback to send the password reset email.
8205
+ *
8206
+ * KavachOS generates the token and constructs the reset URL. Your job is
8207
+ * to deliver it (Resend, SES, SMTP, Postmark, whatever you use).
8208
+ *
8209
+ * The function should not throw for unknown emails. KavachOS already
8210
+ * handles that by silently succeeding.
8211
+ */
8212
+ sendResetEmail: (email: string, token: string, resetUrl: string) => Promise<void>;
8213
+ /**
8214
+ * Base URL for the reset page in your app.
8215
+ *
8216
+ * The token is appended as `?token=<token>`. Example:
8217
+ * `https://app.example.com/reset-password` produces
8218
+ * `https://app.example.com/reset-password?token=abc123...`
8219
+ */
8220
+ resetUrl: string;
8221
+ /**
8222
+ * Token TTL in seconds. Default: 3600 (1 hour).
8223
+ *
8224
+ * Keep this short. Password reset tokens are high-value targets.
8225
+ */
8226
+ tokenTtlSeconds?: number;
8227
+ /**
8228
+ * Revoke all existing sessions on successful password reset.
8229
+ * Default: true.
8230
+ *
8231
+ * If someone's password was compromised, you want to kick out the
8232
+ * attacker's sessions too.
8233
+ */
8234
+ revokeSessionsOnReset?: boolean;
8235
+ /**
8236
+ * Minimum password length for the new password.
8237
+ * Default: 8 (matches username module default).
8238
+ */
8239
+ minPasswordLength?: number;
8240
+ /**
8241
+ * Maximum password length for the new password.
8242
+ * Default: 128 (matches username module default).
8243
+ */
8244
+ maxPasswordLength?: number;
8245
+ }
8246
+ interface PasswordResetModule {
8247
+ /**
8248
+ * Request a password reset for the given email.
8249
+ *
8250
+ * Always returns success to prevent email enumeration. If the email
8251
+ * is not associated with any account, nothing happens (no email sent).
8252
+ */
8253
+ requestReset(email: string): Promise<Result<{
8254
+ sent: boolean;
8255
+ }>>;
8256
+ /**
8257
+ * Reset a password using a token from the reset email.
8258
+ *
8259
+ * Validates the token, updates the password hash, and optionally
8260
+ * revokes all sessions. The token is consumed on success.
8261
+ */
8262
+ resetPassword(token: string, newPassword: string): Promise<Result<{
8263
+ userId: string;
8264
+ }>>;
8265
+ /**
8266
+ * Handle HTTP requests for password reset endpoints.
8267
+ *
8268
+ * - POST /auth/forgot-password — { email }
8269
+ * - POST /auth/reset-password — { token, password }
8270
+ */
8271
+ handleRequest(request: Request): Promise<Response | null>;
8272
+ }
8273
+ declare function createPasswordResetModule(config: PasswordResetConfig, db: Database, sessionManager: SessionManager, tokenModule: OneTimeTokenModule): PasswordResetModule;
8274
+
6817
8275
  /**
6818
8276
  * Phone number (SMS OTP) authentication for KavachOS.
6819
8277
  *
@@ -7032,7 +8490,7 @@ declare function createSsoModule(config: SsoConfig, db: Database): SsoModule;
7032
8490
  * TOTP two-factor authentication for KavachOS.
7033
8491
  *
7034
8492
  * Implements RFC 6238 (TOTP) and RFC 4226 (HOTP) from scratch using
7035
- * node:crypto — no external dependencies.
8493
+ * the Web Crypto API — no external dependencies.
7036
8494
  *
7037
8495
  * Flow:
7038
8496
  * 1. `setup(userId)` — generate secret + backup codes (not yet active)
@@ -7436,6 +8894,192 @@ interface PluginInitResult {
7436
8894
  context?: Record<string, unknown>;
7437
8895
  }
7438
8896
 
8897
+ interface RedirectConfig {
8898
+ /** Cookie name for storing the redirect chain (default: "kavach_redirect") */
8899
+ cookieName?: string;
8900
+ /** Max age in seconds for the redirect cookie (default: 600 = 10 min) */
8901
+ maxAge?: number;
8902
+ /** Default path when no redirect is stored (default: "/") */
8903
+ defaultPath?: string;
8904
+ /** Paths that should never be stored as destinations (auth pages, etc.) */
8905
+ excludePaths?: string[];
8906
+ /** Whether to preserve query params from the original URL (default: true) */
8907
+ preserveQuery?: boolean;
8908
+ /** Whether to preserve hash fragments (default: true) */
8909
+ preserveHash?: boolean;
8910
+ /** Max chain depth to prevent infinite loops (default: 10) */
8911
+ maxDepth?: number;
8912
+ /** Custom cookie options */
8913
+ cookie?: {
8914
+ httpOnly?: boolean;
8915
+ secure?: boolean;
8916
+ sameSite?: "lax" | "strict" | "none";
8917
+ path?: string;
8918
+ domain?: string;
8919
+ };
8920
+ }
8921
+ interface RedirectEntry {
8922
+ /** Unique ID for this entry */
8923
+ id: string;
8924
+ /** The URL path (e.g., "/dashboard/project/abc") */
8925
+ path: string;
8926
+ /** Query parameters as a record */
8927
+ query: Record<string, string>;
8928
+ /** Hash fragment without # */
8929
+ hash: string;
8930
+ /** When this entry was created (epoch ms) */
8931
+ createdAt: number;
8932
+ /** Optional label for debugging ("onboarding", "verify-email", etc.) */
8933
+ label?: string;
8934
+ }
8935
+ interface RedirectChainState {
8936
+ /** The original destination the user was trying to reach */
8937
+ origin: RedirectEntry;
8938
+ /** Stack of intermediate steps (LIFO -- last pushed = first popped) */
8939
+ steps: RedirectEntry[];
8940
+ /** Chain creation time */
8941
+ createdAt: number;
8942
+ }
8943
+ interface RedirectChainManager {
8944
+ /**
8945
+ * Capture the current request's URL as the origin destination.
8946
+ * Call this in your auth middleware when redirecting to sign-in.
8947
+ * Returns the Set-Cookie header value.
8948
+ *
8949
+ * If a chain already exists (user refreshed sign-in page), keeps the existing origin.
8950
+ */
8951
+ capture(request: Request): string;
8952
+ /**
8953
+ * Push an intermediate step onto the chain.
8954
+ * Use this after sign-up to add onboarding, email verification, etc.
8955
+ * Returns the updated Set-Cookie header value.
8956
+ *
8957
+ * Example: after sign-up, push "/onboarding" then "/complete-profile"
8958
+ * When onboarding completes, pop() returns "/complete-profile"
8959
+ * When profile completes, pop() returns the original destination
8960
+ */
8961
+ push(path: string, options?: {
8962
+ label?: string;
8963
+ query?: Record<string, string>;
8964
+ }): string;
8965
+ /**
8966
+ * Pop the next destination from the chain.
8967
+ * If there are intermediate steps, returns the next step.
8968
+ * If no steps remain, returns the original destination.
8969
+ * If chain is empty, returns the defaultPath.
8970
+ *
8971
+ * Returns { url, done, clearCookie }
8972
+ * - url: the full URL path with query params
8973
+ * - done: true when the chain is fully consumed
8974
+ * - clearCookie: Set-Cookie header to clear the cookie (only when chain is fully consumed)
8975
+ */
8976
+ pop(request: Request): {
8977
+ url: string;
8978
+ done: boolean;
8979
+ clearCookie: string | null;
8980
+ };
8981
+ /**
8982
+ * Peek at the next destination without consuming it.
8983
+ */
8984
+ peek(request: Request): {
8985
+ url: string;
8986
+ remaining: number;
8987
+ } | null;
8988
+ /**
8989
+ * Get the original destination (the URL the user first tried to visit).
8990
+ * Returns null if no chain exists.
8991
+ */
8992
+ getOrigin(request: Request): RedirectEntry | null;
8993
+ /**
8994
+ * Clear the entire chain. Returns the Set-Cookie header to clear the cookie.
8995
+ */
8996
+ clear(): string;
8997
+ /**
8998
+ * Parse the chain state from a request's cookies.
8999
+ * Returns null if no chain exists or if it's expired.
9000
+ */
9001
+ parse(request: Request): RedirectChainState | null;
9002
+ /**
9003
+ * Build a full URL from a RedirectEntry (path + query + hash).
9004
+ */
9005
+ buildUrl(entry: RedirectEntry): string;
9006
+ /**
9007
+ * Create a RedirectEntry from a URL string or Request.
9008
+ */
9009
+ createEntry(url: string | Request, label?: string): RedirectEntry;
9010
+ }
9011
+ /** Create a redirect chain manager with the given config. */
9012
+ declare function createRedirectChain(config?: RedirectConfig): RedirectChainManager;
9013
+
9014
+ /**
9015
+ * Session freshness enforcement for KavachOS.
9016
+ *
9017
+ * Sensitive operations (password change, passkey registration, billing updates)
9018
+ * should require a "fresh" session -- one where the user authenticated recently,
9019
+ * not just one that was auto-refreshed hours ago.
9020
+ *
9021
+ * This module adds freshness checks without touching the core session schema.
9022
+ * It works by comparing the session's `createdAt` timestamp against a
9023
+ * configurable freshness window.
9024
+ *
9025
+ * @example
9026
+ * ```typescript
9027
+ * const freshness = createSessionFreshnessModule({ freshAge: 300 }); // 5 minutes
9028
+ *
9029
+ * // In a sensitive endpoint
9030
+ * const session = await sessionManager.validate(token);
9031
+ * if (!freshness.isFresh(session)) {
9032
+ * return new Response(JSON.stringify({
9033
+ * error: 'Session is not fresh. Please re-authenticate.',
9034
+ * code: 'SESSION_NOT_FRESH',
9035
+ * }), { status: 403 });
9036
+ * }
9037
+ * ```
9038
+ */
9039
+
9040
+ interface SessionFreshnessConfig {
9041
+ /**
9042
+ * Maximum age in seconds for a session to be considered "fresh".
9043
+ * Default: 300 (5 minutes).
9044
+ *
9045
+ * After this window, the user must re-authenticate before performing
9046
+ * sensitive operations.
9047
+ */
9048
+ freshAge?: number;
9049
+ }
9050
+ interface SessionFreshnessModule {
9051
+ /**
9052
+ * Check if a session was created within the freshness window.
9053
+ *
9054
+ * Uses `session.createdAt` -- not `expiresAt` or last activity.
9055
+ * A session that was auto-refreshed is not considered fresh unless
9056
+ * the user actually re-authenticated.
9057
+ */
9058
+ isFresh(session: Session): boolean;
9059
+ /**
9060
+ * Assert that a session is fresh, returning a Result type.
9061
+ *
9062
+ * Returns `{ success: true }` if fresh, or an error result if stale.
9063
+ * Use this in request handlers for cleaner error propagation.
9064
+ */
9065
+ requireFresh(session: Session): Result<{
9066
+ freshUntil: Date;
9067
+ }>;
9068
+ /**
9069
+ * Middleware-style function that returns a Response if the session
9070
+ * is not fresh, or null if it passes.
9071
+ *
9072
+ * @example
9073
+ * ```typescript
9074
+ * const staleResponse = freshness.guard(session);
9075
+ * if (staleResponse) return staleResponse;
9076
+ * // ...proceed with sensitive operation
9077
+ * ```
9078
+ */
9079
+ guard(session: Session): Response | null;
9080
+ }
9081
+ declare function createSessionFreshnessModule(config?: SessionFreshnessConfig): SessionFreshnessModule;
9082
+
7439
9083
  /**
7440
9084
  * Main configuration for KavachOS
7441
9085
  */
@@ -7496,6 +9140,15 @@ interface KavachConfig {
7496
9140
  * configured so that sessions can be issued on successful verification.
7497
9141
  */
7498
9142
  emailOtp?: EmailOtpConfig;
9143
+ /**
9144
+ * Email verification flow.
9145
+ *
9146
+ * When provided, `kavach.emailVerification` is available with
9147
+ * `sendVerification`, `verify`, `isVerified`, and `handleRequest`.
9148
+ * The caller provides a `sendVerificationEmail` callback to deliver the
9149
+ * link.
9150
+ */
9151
+ emailVerification?: EmailVerificationConfig;
7499
9152
  /**
7500
9153
  * TOTP two-factor authentication.
7501
9154
  *
@@ -7549,6 +9202,15 @@ interface KavachConfig {
7549
9202
  * `auth.session` to be configured so that sessions can be issued.
7550
9203
  */
7551
9204
  username?: UsernameAuthConfig;
9205
+ /**
9206
+ * Password reset (forgot password) flow.
9207
+ *
9208
+ * When provided, `kavach.passwordReset` is available with `requestReset`,
9209
+ * `resetPassword`, and `handleRequest`. Requires `username` and
9210
+ * `auth.session` to be configured. The caller provides a `sendResetEmail`
9211
+ * callback to deliver the reset link.
9212
+ */
9213
+ passwordReset?: PasswordResetConfig;
7552
9214
  /**
7553
9215
  * Phone number (SMS OTP) authentication.
7554
9216
  *
@@ -7570,18 +9232,21 @@ interface KavachConfig {
7570
9232
  * to. Deliveries are fire-and-forget with exponential backoff retries.
7571
9233
  */
7572
9234
  webhooks?: WebhookConfig[];
7573
- }
7574
- interface DatabaseConfig {
7575
- /** Database provider */
7576
- provider: "sqlite" | "postgres" | "mysql";
7577
- /** Connection URL (sqlite: file path, postgres/mysql: connection string) */
7578
- url: string;
7579
9235
  /**
7580
- * Skip automatic `CREATE TABLE IF NOT EXISTS` on init.
7581
- * Useful when you manage migrations externally (e.g. Flyway, Liquibase,
7582
- * drizzle-kit push). Defaults to `false`.
9236
+ * Redirect chain configuration.
9237
+ *
9238
+ * When provided, `kavach.redirects` is available for capturing the user's
9239
+ * original destination before auth flows and restoring it afterwards,
9240
+ * with support for intermediate steps (onboarding, email verification, etc.).
9241
+ */
9242
+ redirects?: RedirectConfig;
9243
+ /**
9244
+ * Session freshness configuration.
9245
+ *
9246
+ * Controls the maximum session age (in seconds) for sensitive operations.
9247
+ * When omitted, defaults to 300 seconds (5 minutes).
7583
9248
  */
7584
- skipMigrations?: boolean;
9249
+ sessionFreshness?: SessionFreshnessConfig;
7585
9250
  }
7586
9251
  /**
7587
9252
  * The main KavachOS instance returned by createKavach()
@@ -7756,4 +9421,4 @@ interface TokenValidationResult {
7756
9421
  }
7757
9422
  type McpMiddleware = (request: Request) => Promise<Response | undefined>;
7758
9423
 
7759
- export { type CaptchaVerifyResult as $, type AgentDid as A, type EndpointContext as B, type CreateAgentInput as C, type Database as D, type EmailOtpModule as E, type KavachPlugin as F, type SessionConfig as G, type Session as H, type AdminConfig as I, type AdminUser as J, type KavachConfig as K, type AgentConfig as L, type McpServerInput as M, type ApiKey as N, type OrgModule as O, type Permission as P, type ApiKeyManagerConfig as Q, type RequestContext as R, type SignedPayload as S, type TotpModule as T, type UpdateAgentInput as U, type VerificationResult as V, type WebhookModule as W, type ApprovalConfig as X, type ApprovalModule as Y, type AuthAdapter as Z, type CaptchaConfig as _, type DatabaseConfig$1 as a, organizations as a$, type DatabaseConfig as a0, type EmailOtpConfig as a1, type KavachHooks as a2, type KavachInstance as a3, type MagicLinkConfig as a4, type McpMiddleware as a5, type OidcProvider as a6, type OrgConfig as a7, type OrgInvitation as a8, type OrgMember as a9, budgetPolicies as aA, classifyViolation as aB, createAdminModule as aC, createApiKeyManagerModule as aD, createApprovalModule as aE, createCaptchaModule as aF, createDatabase as aG, createDatabaseSync as aH, createEmailOtpModule as aI, createMagicLinkModule as aJ, createOrgModule as aK, createPasskeyModule as aL, createPhoneAuthModule as aM, createSessionManager as aN, createSsoModule as aO, createTotpModule as aP, createUsernameAuthModule as aQ, delegationChains as aR, emailOtps as aS, magicLinks as aT, mcpServers as aU, oauthAccessTokens as aV, oauthAuthorizationCodes as aW, oauthClients as aX, orgInvitations as aY, orgMembers as aZ, orgRoles as a_, type OrgRole as aa, type Organization as ab, type PasskeyConfig as ac, type PasskeyCredential as ad, type PermissionConstraints as ae, type PhoneAuthConfig as af, type PluginContext as ag, type PluginInitResult as ah, SSO_ERROR as ai, type SamlProvider as aj, type ServiceEndpoint as ak, type SsoAuditEvent as al, type SsoConfig as am, type SsoConnection as an, SsoError as ao, type TokenValidationResult as ap, type TotpConfig as aq, type TotpSetup as ar, type UsernameAuthConfig as as, type VerificationMethod as at, agentCards as au, agentDids as av, agents as aw, apiKeys as ax, approvalRequests as ay, auditLogs as az, type DelegateInput as b, passkeyChallenges as b0, passkeyCredentials as b1, permissions as b2, rateLimits as b3, sessions as b4, ssoConnections as b5, tenants as b6, totpRecords as b7, trustScores as b8, users as b9, type WebhookConfig as ba, type WebhookEvent as bb, createWebhookModule as bc, type DelegationChain as c, type DidDocument as d, type DidKeyPair as e, type DidWebConfig as f, type AgentIdentity as g, type AgentFilter as h, type AuthorizeRequest as i, type AuthorizeResult as j, type AuditFilter as k, type AuditEntry as l, type AuditExportOptions as m, type McpServer as n, type ResolvedUser as o, type SessionManager as p, type ApprovalRequest as q, type MagicLinkModule as r, type PasskeyModule as s, type SsoModule as t, type AdminModule as u, type ApiKeyManagerModule as v, type UsernameAuthModule as w, type PhoneAuthModule as x, type CaptchaModule as y, type PluginEndpoint as z };
9424
+ export { type ApiKeyManagerConfig as $, type AgentIdentity as A, type SessionFreshnessModule as B, type CreateAgentInput as C, type Database as D, type EmailOtpModule as E, type PhoneAuthModule as F, type CaptchaModule as G, type RedirectChainManager as H, type PluginEndpoint as I, type EndpointContext as J, type KavachConfig as K, type KavachPlugin as L, type McpServerInput as M, type SessionConfig as N, type OrgModule as O, type Permission as P, type Session as Q, type RequestContext as R, type SignedPayload as S, type TotpModule as T, type UpdateAgentInput as U, type VerificationResult as V, type WebhookModule as W, type AdminConfig as X, type AdminUser as Y, type AgentConfig as Z, type ApiKey as _, type DatabaseConfig as a, createOneTimeTokenModule as a$, type ApprovalConfig as a0, type ApprovalModule as a1, type AuthAdapter as a2, type CaptchaConfig as a3, type CaptchaVerifyResult as a4, type CreateTokenInput as a5, type D1DatabaseBinding as a6, type EmailOtpConfig as a7, type EmailVerificationConfig as a8, type KavachHooks as a9, type SsoAuditEvent as aA, type SsoConfig as aB, type SsoConnection as aC, SsoError as aD, type TokenValidationResult as aE, type TotpConfig as aF, type TotpSetup as aG, type UsernameAuthConfig as aH, type ValidateTokenResult as aI, type VerificationMethod as aJ, agentCards as aK, agentDids as aL, agents as aM, apiKeys as aN, approvalRequests as aO, auditLogs as aP, budgetPolicies as aQ, classifyViolation as aR, createAdminModule as aS, createApiKeyManagerModule as aT, createApprovalModule as aU, createCaptchaModule as aV, createDatabase as aW, createDatabaseSync as aX, createEmailOtpModule as aY, createEmailVerificationModule as aZ, createMagicLinkModule as a_, type KavachInstance as aa, type MagicLinkConfig as ab, type McpMiddleware as ac, type OidcProvider as ad, type OneTimeTokenConfig as ae, type OneTimeTokenPurpose as af, type OrgConfig as ag, type OrgInvitation as ah, type OrgMember as ai, type OrgRole as aj, type Organization as ak, type PasskeyConfig as al, type PasskeyCredential as am, type PasswordResetConfig as an, type PermissionConstraints as ao, type PhoneAuthConfig as ap, type PluginContext as aq, type PluginInitResult as ar, type RedirectChainState as as, type RedirectConfig as at, type RedirectEntry as au, type RevokeTokensResult as av, SSO_ERROR as aw, type SamlProvider as ax, type ServiceEndpoint as ay, type SessionFreshnessConfig as az, type DelegateInput as b, createOrgModule as b0, createPasskeyModule as b1, createPasswordResetModule as b2, createPhoneAuthModule as b3, createRedirectChain as b4, createSessionFreshnessModule as b5, createSessionManager as b6, createSsoModule as b7, createTotpModule as b8, createUsernameAuthModule as b9, delegationChains as ba, emailOtps as bb, magicLinks as bc, mcpServers as bd, oauthAccessTokens as be, oauthAuthorizationCodes as bf, oauthClients as bg, orgInvitations as bh, orgMembers as bi, orgRoles as bj, organizations as bk, passkeyChallenges as bl, passkeyCredentials as bm, permissions as bn, rateLimits as bo, sessions as bp, ssoConnections as bq, tenants as br, totpRecords as bs, trustScores as bt, users as bu, type WebhookConfig as bv, type WebhookEvent as bw, createWebhookModule as bx, type DelegationChain as c, type DidDocument as d, type DidKeyPair as e, type DidWebConfig as f, type AgentDid as g, type AgentFilter as h, type AuthorizeRequest as i, type AuthorizeResult as j, type AuditFilter as k, type AuditEntry as l, type AuditExportOptions as m, type McpServer as n, type ResolvedUser as o, type SessionManager as p, type ApprovalRequest as q, type MagicLinkModule as r, type PasskeyModule as s, type SsoModule as t, type AdminModule as u, type ApiKeyManagerModule as v, type UsernameAuthModule as w, type PasswordResetModule as x, type EmailVerificationModule as y, type OneTimeTokenModule as z };