kavachos 0.0.4 → 0.0.6

package/dist/auth/index.d.ts

@@ -1,9 +1,8 @@
 import { z } from 'zod';
-import { Z as AuthAdapter, o as ResolvedUser, F as KavachPlugin, D as Database, I as AdminConfig, p as SessionManager, Q as ApiKeyManagerConfig, a1 as EmailOtpConfig, a4 as MagicLinkConfig, a7 as OrgConfig, ac as PasskeyConfig, z as PluginEndpoint, aq as TotpConfig } from '../types-Xk83hv4O.js';
-export { u as AdminModule, J as AdminUser, N as ApiKey, v as ApiKeyManagerModule, _ as CaptchaConfig, y as CaptchaModule, $ as CaptchaVerifyResult, E as EmailOtpModule, r as MagicLinkModule, a6 as OidcProvider, a8 as OrgInvitation, a9 as OrgMember, O as OrgModule, aa as OrgRole, ab as Organization, ad as PasskeyCredential, s as PasskeyModule, af as PhoneAuthConfig, x as PhoneAuthModule, ai as SSO_ERROR, aj as SamlProvider, al as SsoAuditEvent, am as SsoConfig, an as SsoConnection, ao as SsoError, t as SsoModule, T as TotpModule, ar as TotpSetup, as as UsernameAuthConfig, w as UsernameAuthModule, ba as WebhookConfig, bb as WebhookEvent, W as WebhookModule, aC as createAdminModule, aD as createApiKeyManagerModule, aF as createCaptchaModule, aI as createEmailOtpModule, aJ as createMagicLinkModule, aK as createOrgModule, aL as createPasskeyModule, aM as createPhoneAuthModule, aO as createSsoModule, aP as createTotpModule, aQ as createUsernameAuthModule, bc as createWebhookModule } from '../types-Xk83hv4O.js';
-import { R as Result } from '../types-mwupB57A.js';
+import { a2 as AuthAdapter, o as ResolvedUser, L as KavachPlugin, D as Database, X as AdminConfig, p as SessionManager, $ as ApiKeyManagerConfig, a7 as EmailOtpConfig, P as Permission, ab as MagicLinkConfig, ag as OrgConfig, al as PasskeyConfig, I as PluginEndpoint, aF as TotpConfig } from '../types-W8X0PXE7.js';
+export { u as AdminModule, Y as AdminUser, _ as ApiKey, v as ApiKeyManagerModule, a3 as CaptchaConfig, G as CaptchaModule, a4 as CaptchaVerifyResult, a5 as CreateTokenInput, E as EmailOtpModule, a8 as EmailVerificationConfig, y as EmailVerificationModule, r as MagicLinkModule, ad as OidcProvider, ae as OneTimeTokenConfig, z as OneTimeTokenModule, af as OneTimeTokenPurpose, ah as OrgInvitation, ai as OrgMember, O as OrgModule, aj as OrgRole, ak as Organization, am as PasskeyCredential, s as PasskeyModule, an as PasswordResetConfig, x as PasswordResetModule, ap as PhoneAuthConfig, F as PhoneAuthModule, av as RevokeTokensResult, aw as SSO_ERROR, ax as SamlProvider, aA as SsoAuditEvent, aB as SsoConfig, aC as SsoConnection, aD as SsoError, t as SsoModule, T as TotpModule, aG as TotpSetup, aH as UsernameAuthConfig, w as UsernameAuthModule, aI as ValidateTokenResult, bv as WebhookConfig, bw as WebhookEvent, W as WebhookModule, aS as createAdminModule, aT as createApiKeyManagerModule, aV as createCaptchaModule, aY as createEmailOtpModule, aZ as createEmailVerificationModule, a_ as createMagicLinkModule, a$ as createOneTimeTokenModule, b0 as createOrgModule, b1 as createPasskeyModule, b2 as createPasswordResetModule, b3 as createPhoneAuthModule, b7 as createSsoModule, b8 as createTotpModule, b9 as createUsernameAuthModule, bx as createWebhookModule } from '../types-W8X0PXE7.js';
+import { R as Result } from '../types-BuHrZcjE.js';
 import * as jose from 'jose';
-import 'drizzle-orm/better-sqlite3';
 import 'drizzle-orm/sqlite-core';
 
 /**
@@ -288,6 +287,87 @@ declare function anonymousAuth(config?: AnonymousAuthConfig): KavachPlugin;
 
 declare function apiKeys(config?: ApiKeyManagerConfig): KavachPlugin;
 
+interface CostAttributionConfig {
+    /** ISO 4217 currency code, default 'USD' */
+    currency?: string;
+    /** Dollar amounts that trigger alerts */
+    alertThresholds?: {
+        warn: number;
+        critical: number;
+    };
+    /** Called when a threshold is crossed or budget exceeded */
+    onAlert?: (alert: CostAlert) => void | Promise<void>;
+    /** How many days of events to keep, default 90 */
+    retentionDays?: number;
+}
+interface RecordCostInput {
+    agentId: string;
+    /** e.g. 'openai:gpt-4o', 'anthropic:claude-3-5-sonnet', 'mcp:github' */
+    tool: string;
+    inputTokens?: number;
+    outputTokens?: number;
+    costUsd: number;
+    metadata?: Record<string, unknown>;
+    /** Attribute to a delegation chain */
+    delegationChainId?: string;
+}
+interface CostReport {
+    agentId: string;
+    period: {
+        start: Date;
+        end: Date;
+    };
+    totalCostUsd: number;
+    byTool: Array<{
+        tool: string;
+        costUsd: number;
+        callCount: number;
+    }>;
+    byDay: Array<{
+        date: string;
+        costUsd: number;
+    }>;
+}
+interface CostAlert {
+    type: "warn" | "critical" | "budget_exceeded";
+    agentId: string;
+    currentCostUsd: number;
+    threshold: number;
+    period: string;
+}
+interface BudgetCheckResult {
+    withinBudget: boolean;
+    spent: number;
+    limit: number | null;
+    remaining: number | null;
+}
+interface CostAttributionModule {
+    recordCost(input: RecordCostInput): Promise<Result<void>>;
+    getAgentCost(agentId: string, period?: {
+        start: Date;
+        end: Date;
+    }): Promise<Result<CostReport>>;
+    getOwnerCost(ownerId: string, period?: {
+        start: Date;
+        end: Date;
+    }): Promise<Result<CostReport>>;
+    getTopAgentsByCost(limit?: number, period?: {
+        start: Date;
+        end: Date;
+    }): Promise<Result<Array<{
+        agentId: string;
+        totalCostUsd: number;
+    }>>>;
+    getDelegationChainCost(chainId: string): Promise<Result<CostReport>>;
+    checkBudget(agentId: string): Promise<Result<BudgetCheckResult>>;
+    cleanup(options?: {
+        retentionDays?: number;
+    }): Promise<Result<{
+        deleted: number;
+    }>>;
+}
+declare function createCostAttributionModule(db: Database, config?: CostAttributionConfig): CostAttributionModule;
+
 /**
  * Custom session fields plugin for KavachOS.
  *
@@ -423,6 +503,308 @@ declare function deviceAuth(config: DeviceAuthConfig): KavachPlugin;
 
 declare function emailOtp(config: EmailOtpConfig): KavachPlugin;
 
+/**
+ * Ephemeral agent sessions for KavachOS.
+ *
+ * Short-lived, auto-expiring agent credentials for single-task use. Designed
+ * for computer-use agents (Claude, GPT with browsing, operator loops) that
+ * should not hold persistent tokens across invocations.
+ *
+ * Each session spins up a temporary agent, issues a bounded bearer token, and
+ * tracks how many actions have been consumed. When the TTL lapses or the
+ * action budget is exhausted the token becomes invalid and the underlying
+ * agent is automatically revoked.
+ *
+ * @example
+ * ```typescript
+ * const mod = createEphemeralSessionModule({ db });
+ *
+ * // Create a 5-minute, 10-action session
+ * const result = await mod.createSession({
+ *   ownerId: 'user-123',
+ *   permissions: [{ resource: 'tool:browser', actions: ['navigate', 'click'] }],
+ *   ttlSeconds: 300,
+ *   maxActions: 10,
+ * });
+ *
+ * if (!result.success) throw new Error(result.error.message);
+ *
+ * const { token } = result.data;
+ *
+ * // Each time the agent performs an action
+ * await mod.consumeAction(token);
+ * ```
+ */
+
+interface EphemeralSessionConfig {
+    db: Database;
+    /** Default TTL for sessions in seconds (default: 300 = 5 min) */
+    defaultTtlSeconds?: number;
+    /** Hard ceiling on TTL in seconds (default: 3600 = 1 hour) */
+    maxTtlSeconds?: number;
+    /** Automatically revoke the underlying agent when the session expires (default: true) */
+    autoRevokeOnExpiry?: boolean;
+    /** Group all actions under a shared audit session ID (default: true) */
+    auditGrouping?: boolean;
+}
+interface CreateEphemeralSessionInput {
+    ownerId: string;
+    name?: string;
+    permissions: Permission[];
+    /** Seconds until the session expires (capped at maxTtlSeconds) */
+    ttlSeconds?: number;
+    /** Optional cap on the number of actions the token may authorize */
+    maxActions?: number;
+    metadata?: Record<string, unknown>;
+}
+interface EphemeralSession {
+    sessionId: string;
+    agentId: string;
+    /** Bearer token — shown once, never stored in plain text */
+    token: string;
+    expiresAt: Date;
+    maxActions: number | null;
+    actionsUsed: number;
+    status: "active" | "expired" | "exhausted" | "revoked";
+    /** Shared audit group ID for all actions within the session */
+    auditGroupId: string;
+    createdAt: Date;
+}
+interface EphemeralSessionValidateResult {
+    sessionId: string;
+    agentId: string;
+    remainingActions: number | null;
+    /** Seconds until the token expires */
+    expiresIn: number;
+    auditGroupId: string;
+}
+interface EphemeralSessionModule {
+    createSession(input: CreateEphemeralSessionInput): Promise<Result<EphemeralSession>>;
+    validateSession(token: string): Promise<Result<EphemeralSessionValidateResult>>;
+    consumeAction(token: string): Promise<Result<{
+        actionsRemaining: number | null;
+    }>>;
+    revokeSession(sessionId: string): Promise<Result<void>>;
+    listActiveSessions(ownerId: string): Promise<Result<EphemeralSession[]>>;
+    cleanupExpired(): Promise<Result<{
+        count: number;
+    }>>;
+}
+declare function createEphemeralSessionModule(config: EphemeralSessionConfig): EphemeralSessionModule;
+
+/**
+ * Real-time event streaming via Server-Sent Events (SSE) for KavachOS.
+ *
+ * Provides a persistent connection feed of audit events, agent lifecycle
+ * changes, auth events, and anomalies. SOC teams and monitoring systems can
+ * subscribe instead of polling the audit API or relying solely on webhooks.
+ *
+ * Endpoint: GET /api/kavach/events/stream
+ * Auth: Bearer token via Authorization header or `?token=` query param
+ * Filtering: `?types=audit,agent.created`
+ * Replay: `?since=2026-01-01T00:00:00Z` or Last-Event-ID header
+ *
+ * @example
+ * ```typescript
+ * const stream = createEventStreamModule({ db, requireAuth: true });
+ *
+ * // In your request handler
+ * const response = stream.handleRequest(request);
+ * if (response) return response;
+ *
+ * // Emit from anywhere in your app
+ * stream.emit({
+ *   id: crypto.generateId(),
+ *   type: 'agent.created',
+ *   timestamp: new Date(),
+ *   data: { agentId: 'ag_123', name: 'my-agent' },
+ * });
+ * ```
+ */
+
+declare const EVENT_TYPES: readonly ["audit", "agent.created", "agent.revoked", "agent.rotated", "auth.signin", "auth.signout", "auth.failed", "delegation.created", "delegation.revoked", "budget.exceeded", "anomaly.detected", "cost.recorded"];
+type EventType = (typeof EVENT_TYPES)[number];
+interface StreamEvent {
+    id: string;
+    type: EventType;
+    timestamp: Date;
+    data: Record<string, unknown>;
+    agentId?: string;
+    userId?: string;
+}
+interface EventStreamConfig {
+    db: Database;
+    /** Maximum concurrent SSE connections (default: 100) */
+    maxConnections?: number;
+    /** Heartbeat interval in milliseconds (default: 30000) */
+    heartbeatIntervalMs?: number;
+    /** Restrict which event types this stream delivers (default: all) */
+    eventTypes?: EventType[];
+    /** Require a valid Bearer token to connect (default: true) */
+    requireAuth?: boolean;
+    /**
+     * Validate a Bearer token and return the subscriber ID (userId or agentId)
+     * on success, or null on failure.
+     *
+     * Only called when `requireAuth` is true. When omitted, any non-empty token
+     * is accepted and used as the subscriber ID.
+     */
+    validateToken?: (token: string) => Promise<string | null>;
+}
+interface EventStreamModule {
+    /** Emit an event to all connected clients. */
+    emit(event: StreamEvent): void;
+    /** Handle an incoming HTTP request. Returns a Response or null when the request is not an SSE request. */
+    handleRequest(request: Request): Response | null;
+    /** Current number of active SSE connections. */
+    getConnectionCount(): number;
+    /** Replay persisted events since a timestamp, optionally filtered by type. */
+    replay(since: Date, types?: EventType[]): Promise<Result<StreamEvent[]>>;
+    /** Close all active connections and stop heartbeats. */
+    close(): void;
+}
+declare function createEventStreamModule(config: EventStreamConfig): EventStreamModule;
+
+/**
+ * Agent identity federation for KavachOS.
+ *
+ * Allows an agent created in one KavachOS instance (Service A) to
+ * authenticate at another KavachOS instance (Service B) without
+ * re-registration. The agent's identity, trust score, permissions,
+ * and delegation scope travel with the federation token.
+ *
+ * Federation tokens are short-lived JWTs signed by the source instance.
+ * The target instance verifies them by fetching the source's public key
+ * from `/.well-known/kavach-federation.json`. Optionally, a Verifiable
+ * Credential can be embedded for offline verification.
+ *
+ * @example
+ * ```typescript
+ * import { createFederationModule } from 'kavachos/auth';
+ * import { generateKeyPair, exportJWK } from 'jose';
+ *
+ * const { publicKey, privateKey } = await generateKeyPair('EdDSA');
+ *
+ * const federation = createFederationModule({
+ *   instanceId: 'instance-a',
+ *   instanceUrl: 'https://a.example.com',
+ *   signingKey: privateKey,
+ * });
+ *
+ * // Issue a token for an agent to carry to Service B
+ * const result = await federation.issueFederationToken('agent-123');
+ * ```
+ */
+
+declare const TrustLevelSchema: z.ZodEnum<["full", "limited", "verify-only"]>;
+type TrustLevel = z.infer<typeof TrustLevelSchema>;
+interface TrustedInstance {
+    instanceId: string;
+    instanceUrl: string;
+    publicKey?: JsonWebKey;
+    trustLevel?: TrustLevel;
+}
+interface FederationConfig {
+    /** Unique identifier for this KavachOS instance */
+    instanceId: string;
+    /** Public URL of this instance */
+    instanceUrl: string;
+    /** EdDSA private key for signing federation tokens */
+    signingKey: CryptoKey;
+    /** Pre-configured trusted instances */
+    trustedInstances?: TrustedInstance[];
+    /** Trust any KavachOS instance (dev mode only) */
+    autoTrust?: boolean;
+    /** Federation token lifetime in seconds. Default: 300 (5 minutes). */
+    tokenTtlSeconds?: number;
+}
+interface FederationToken {
+    /** Signed JWT */
+    token: string;
+    /** Token expiration */
+    expiresAt: Date;
+    /** Agent this token was issued for */
+    agentId: string;
+    /** Source instance ID */
+    sourceInstance: string;
+}
+interface FederatedAgent {
+    /** Agent ID from the source instance */
+    agentId: string;
+    /** Instance that issued this agent's identity */
+    sourceInstance: string;
+    /** Source instance URL */
+    sourceInstanceUrl: string;
+    /** Permissions carried by the token */
+    permissions: string[];
+    /** Trust level (0-1) from the source instance */
+    trustScore: number;
+    /** Delegation scope, if any */
+    delegationScope: string[];
+    /** When this token was verified */
+    verifiedAt: Date;
+    /** Embedded Verifiable Credential JWT, if present */
+    credential?: string;
+}
+interface InstanceIdentity {
+    /** This instance's ID */
+    instanceId: string;
+    /** This instance's URL */
+    instanceUrl: string;
+    /** Public key in JWK format for verifying federation tokens */
+    publicKeyJwk: JsonWebKey;
+    /** Protocol version */
+    protocolVersion: string;
+    /** Supported features */
+    features: string[];
+}
+interface IssueFederationTokenInput {
+    /** Agent ID to issue the token for */
+    agentId: string;
+    /** Optional target instance ID (audience restriction) */
+    targetInstance?: string;
+    /** Agent permissions to include in the token */
+    permissions?: string[];
+    /** Agent trust score (0-1) */
+    trustScore?: number;
+    /** Delegation scope */
+    delegationScope?: string[];
+    /** Optional VC JWT to embed */
+    credential?: string;
+}
+/** The well-known document served at /.well-known/kavach-federation.json */
+interface FederationWellKnown {
+    instanceId: string;
+    instanceUrl: string;
+    publicKeyJwk: JsonWebKey;
+    protocolVersion: string;
+    features: string[];
+}
+interface FederationModule {
+    /** Issue a federation token for an agent to use at another service */
+    issueFederationToken(input: IssueFederationTokenInput): Promise<Result<FederationToken>>;
+    /** Verify a federation token from another KavachOS instance */
+    verifyFederationToken(token: string): Promise<Result<FederatedAgent>>;
+    /** Get this instance's identity (for the well-known endpoint) */
+    getInstanceIdentity(): Promise<InstanceIdentity>;
+    /** Add a trusted instance */
+    addTrustedInstance(instance: TrustedInstance): Result<void>;
+    /** Remove a trusted instance by ID */
+    removeTrustedInstance(instanceId: string): Result<void>;
+    /** List all trusted instances */
+    listTrustedInstances(): TrustedInstance[];
+    /** Discover another instance via its well-known URL */
+    discoverInstance(url: string, fetchFn?: typeof globalThis.fetch): Promise<Result<TrustedInstance>>;
+}
+/**
+ * Create a federation module for cross-instance agent identity.
+ *
+ * The module signs short-lived JWTs that carry agent identity, permissions,
+ * and trust score. Remote instances verify these tokens using the source's
+ * public key, fetched from the well-known endpoint or pre-configured.
+ */
+declare function createFederationModule(config: FederationConfig): FederationModule;
+
 /**
  * GDPR module for KavachOS.
  *
@@ -1219,93 +1601,6 @@ declare function createOneTapModule(config: OneTapConfig, db: Database, sessionM
 
 declare function oneTap(config: OneTapConfig): KavachPlugin;
 
-/**
- * One-time token module for KavachOS.
- *
- * Issues single-use tokens for email verification, password resets,
- * invitations, and custom flows. The raw token is returned to the caller
- * once and never persisted — only a SHA-256 hash is stored. Tokens are
- * invalidated on first use or when they expire.
- *
- * @example
- * ```typescript
- * const tokens = createOneTimeTokenModule({}, db);
- *
- * // Create a password-reset token
- * const result = await tokens.createToken({
- *   purpose: 'password-reset',
- *   identifier: 'alice@example.com',
- *   ttlSeconds: 1800,
- * });
- * if (result.success) {
- *   await mailer.send({ to: 'alice@example.com', token: result.data.token });
- * }
- *
- * // Validate (and consume) on the reset page
- * const validation = await tokens.validateToken(incomingToken, 'password-reset');
- * if (validation.success) {
- *   // validation.data.identifier === 'alice@example.com'
- * }
- * ```
- */
-
-/** Token purpose discriminator. Use 'custom' for any application-specific flow. */
-type OneTimeTokenPurpose = "email-verify" | "password-reset" | "invitation" | "custom";
-interface OneTimeTokenConfig {
-    /** Default TTL in seconds when none is specified per-call. Default: 3600 (1 hour). */
-    defaultTtlSeconds?: number;
-}
-interface CreateTokenInput {
-    purpose: OneTimeTokenPurpose;
-    /** Email address, user ID, or any caller-supplied key that scopes the token. */
-    identifier: string;
-    /** Arbitrary data to associate with the token (e.g. org ID, invited role). */
-    metadata?: Record<string, unknown>;
-    /** Override the module-level default TTL for this token only. */
-    ttlSeconds?: number;
-}
-interface ValidateTokenResult {
-    identifier: string;
-    metadata?: Record<string, unknown>;
-}
-interface RevokeTokensResult {
-    count: number;
-}
-interface OneTimeTokenModule {
-    /**
-     * Create a new one-time token.
-     *
-     * Returns the raw token (hex string) exactly once. Store it in your email
-     * or link — it cannot be recovered from the database afterwards.
-     */
-    createToken(input: CreateTokenInput): Promise<Result<{
-        token: string;
-        expiresAt: Date;
-    }>>;
-    /**
-     * Validate a token and mark it as used.
-     *
-     * Fails when the token is unknown, already used, expired, or belongs to a
-     * different purpose. On success the token is consumed immediately.
-     */
-    validateToken(token: string, purpose: string): Promise<Result<ValidateTokenResult>>;
-    /**
-     * Revoke all active tokens for an identifier, optionally scoped to a purpose.
-     *
-     * Useful for invalidating outstanding password-reset links when a user
-     * changes their password through another flow, or for cleaning up on account
-     * deletion.
-     */
-    revokeTokens(identifier: string, purpose?: string): Promise<Result<RevokeTokensResult>>;
-}
-/**
- * Create a one-time token module backed by the provided database.
- *
- * The module is stateless — no in-memory caches — so multiple instances
- * sharing the same database are safe.
- */
-declare function createOneTimeTokenModule(config: OneTimeTokenConfig, db: Database): OneTimeTokenModule;
-
 /**
  * OpenAPI 3.1 spec generation plugin for KavachOS.
  *
@@ -1564,6 +1859,108 @@ interface RateLimitMiddlewareOptions {
 }
 declare function withRateLimit(handler: PluginEndpoint["handler"], limiter: RateLimiter, options?: RateLimitMiddlewareOptions): PluginEndpoint["handler"];
 
+/**
+ * Relationship-Based Access Control (ReBAC) engine for KavachOS.
+ *
+ * Inspired by Google Zanzibar. Models authorization as a graph of typed
+ * relationships between subjects (users, agents, teams) and objects
+ * (orgs, workspaces, projects, documents). Permission checks traverse the
+ * graph, following both direct relationships and parent-child inheritance.
+ *
+ * Key ideas:
+ * - Resources live in a hierarchy (org > workspace > project > document).
+ * - Relationships connect subjects to objects with a named relation.
+ * - Permission rules define how relations compose. An "editor" implicitly
+ *   has "viewer" access; a "viewer" on a workspace inherits "viewer" on
+ *   child projects.
+ * - Graph traversal is depth-limited to prevent runaway queries.
+ */
+
+interface ReBACConfig {
+    /** Maximum graph traversal depth for permission checks (default: 10). */
+    maxDepth?: number;
+    /** Permission rules per resource type. Key is the resource type. */
+    permissionRules?: Record<string, PermissionRuleSet>;
+}
+/**
+ * Defines how relations map to permissions for a given resource type.
+ *
+ * `implies` — relation X implies relation Y (e.g. editor implies viewer).
+ * `inherits` — permission P on this resource's parent also grants P here.
+ */
+interface PermissionRuleSet {
+    /** Which relations imply which other relations on the same object. */
+    implies?: Record<string, string[]>;
+    /** Permissions inherited from the parent resource. `true` = all, or list. */
+    inheritFromParent?: boolean | string[];
+}
+interface ResourceNode {
+    id: string;
+    type: string;
+    parentId?: string;
+    parentType?: string;
+}
+interface Relationship {
+    id: string;
+    subjectType: string;
+    subjectId: string;
+    relation: string;
+    objectType: string;
+    objectId: string;
+    createdAt: Date;
+}
+interface CheckParams {
+    subjectType: string;
+    subjectId: string;
+    permission: string;
+    objectType: string;
+    objectId: string;
+}
+interface CheckResult {
+    allowed: boolean;
+    path?: string[];
+}
+interface ListObjectsParams {
+    subjectType: string;
+    subjectId: string;
+    permission: string;
+    objectType: string;
+}
+interface ListSubjectsParams {
+    objectType: string;
+    objectId: string;
+    permission: string;
+    subjectType: string;
+}
+interface ExpandParams {
+    type: string;
+    id: string;
+}
+interface ReBACModule {
+    /** Register a resource in the hierarchy. */
+    createResource(node: ResourceNode): Promise<Result<ResourceNode>>;
+    /** Remove a resource and all its relationships. */
+    deleteResource(type: string, id: string): Promise<Result<void>>;
+    /** Get a resource by type and id. */
+    getResource(type: string, id: string): Promise<Result<ResourceNode | null>>;
+    /** Create a relationship between a subject and an object. */
+    addRelationship(rel: Omit<Relationship, "id" | "createdAt">): Promise<Result<Relationship>>;
+    /** Remove a specific relationship. */
+    removeRelationship(subjectType: string, subjectId: string, relation: string, objectType: string, objectId: string): Promise<Result<void>>;
+    /**
+     * Check whether a subject has a permission on an object.
+     * Returns the relationship path when access is granted.
+     */
+    check(params: CheckParams): Promise<Result<CheckResult>>;
+    /** List all object IDs of a given type that a subject can access with a permission. */
+    listObjects(params: ListObjectsParams): Promise<Result<string[]>>;
+    /** List all subject IDs of a given type that hold a permission on an object. */
+    listSubjects(params: ListSubjectsParams): Promise<Result<string[]>>;
+    /** Return all relationships where the given entity is subject or object. */
+    expand(params: ExpandParams): Promise<Result<Relationship[]>>;
+}
+declare function createReBACModule(config: ReBACConfig, db: Database): ReBACModule;
+
 /**
  * SCIM 2.0 directory sync for KavachOS.
  *
@@ -1848,7 +2245,7 @@ interface TrustedDeviceModule {
      * The same request will always produce the same fingerprint; changing
      * user-agent or accept-language invalidates the fingerprint.
      */
-    generateFingerprint(request: Request): string;
+    generateFingerprint(request: Request): Promise<string>;
 }
 declare function createTrustedDeviceModule(config: TrustedDeviceConfig, db: Database): TrustedDeviceModule;
 /**
@@ -1857,4 +2254,4 @@ declare function createTrustedDeviceModule(config: TrustedDeviceConfig, db: Data
  */
 declare function deviceLabelFromRequest(request: Request): string;
 
-export { type AccessTokenClaims, type AdditionalFieldsConfig, type AdditionalFieldsModule, AdminConfig, type AnonymousAuthConfig, type AnonymousAuthModule, ApiKeyManagerConfig, AuthAdapter, type AuthorizeParams, type BearerAuthOptions, type CheckoutOptions, type CreateTokenInput, type CustomSessionConfig, type CustomSessionModule, type DeleteOptions, type DeleteResult, type DeviceAuthConfig, type DeviceAuthModule, type DeviceAuthStatus, type DeviceCodeResponse, EmailOtpConfig, type EndpointGroup, type FieldDefinition, type GdprModule, type GetUserClaimsFn, type GoogleUser, type HeaderAuthOptions, HibpApiError, HibpBreachedError, type HibpConfig, type HibpModule, type JsonWebKeySet, type JwtSessionConfig, type JwtSessionModule, type LastLoginConfig, type LastLoginModule, type LoginEvent, type LoginMethod, MagicLinkConfig, type OAuthProxyConfig, OAuthProxyError, type OAuthProxyModule, type OAuthProxyPluginConfig, type OidcClient, type OidcDiscoveryDocument, type OidcProviderConfig, type OidcProviderModule, type OneTapConfig, type OneTapModule, OneTapVerifyError, type OneTimeTokenConfig, type OneTimeTokenModule, type OneTimeTokenPurpose, type OpenApiComponents, type OpenApiConfig, type OpenApiDocument, type OpenApiInfo, type OpenApiMediaType, type OpenApiModule, type OpenApiOperation, type OpenApiParameter, type OpenApiPathItem, type OpenApiRequestBody, type OpenApiResponse, type OpenApiSchema, type OpenApiSecurityRequirement, type OpenApiSecurityScheme, type OpenApiServer, OrgConfig, PasskeyConfig, type PolarConfig, type PolarModule, type PolarSubscription, type ProxyTokens, type RateLimitConfig, type RateLimitMiddlewareOptions, type RateLimitResult, type RateLimiter, type RecordLoginInput, type RegisterClientInput, ResolvedUser, type RevokeTokensResult, type ScimConfig, type ScimGroup, type ScimModule, type ScimUser, type SessionTokens, type SessionUser, type SiweConfig, type SiweModule, type SiweVerifyResult, type StripeConfig, type StripeModule, type SubscriptionInfo, type TokenParams, type TokenResponse, TotpConfig, type TrustedDevice, type TrustedDeviceConfig, type TrustedDeviceModule, type TwoFactorConfig, type UserDataExport, type UserInfoClaims, type ValidateTokenResult, type ValidationResult, type VerifiedSession, additionalFields, admin, anonymousAuth, apiKeys, bearerAuth, createAdditionalFieldsModule, createAnonymousAuthModule, createCustomSessionModule, createDeviceAuthModule, createGdprModule, createHibpModule, createJwtSessionModule, createLastLoginModule, createOAuthProxyModule, createOidcProviderModule, createOneTapModule, createOneTimeTokenModule, createOpenApiModule, createPolarModule, createRateLimiter, createScimModule, createSiweModule, createStripeModule, createTrustedDeviceModule, customAuth, customSession, deviceAuth, deviceLabelFromRequest, emailOtp, gdpr, headerAuth, magicLink, oauthProxy, oneTap, organization, passkey, polar, scim, siwe, stripe, twoFactor, withRateLimit };
+export { type AccessTokenClaims, type AdditionalFieldsConfig, type AdditionalFieldsModule, AdminConfig, type AnonymousAuthConfig, type AnonymousAuthModule, ApiKeyManagerConfig, AuthAdapter, type AuthorizeParams, type BearerAuthOptions, type BudgetCheckResult, type CheckParams, type CheckResult, type CheckoutOptions, type CostAlert, type CostAttributionConfig, type CostAttributionModule, type CostReport, type CreateEphemeralSessionInput, type CustomSessionConfig, type CustomSessionModule, type DeleteOptions, type DeleteResult, type DeviceAuthConfig, type DeviceAuthModule, type DeviceAuthStatus, type DeviceCodeResponse, EVENT_TYPES, EmailOtpConfig, type EndpointGroup, type EphemeralSession, type EphemeralSessionConfig, type EphemeralSessionModule, type EphemeralSessionValidateResult, type EventStreamConfig, type EventStreamModule, type EventType, type ExpandParams, type FederatedAgent, type FederationConfig, type FederationModule, type FederationToken, type FederationWellKnown, type FieldDefinition, type GdprModule, type GetUserClaimsFn, type GoogleUser, type HeaderAuthOptions, HibpApiError, HibpBreachedError, type HibpConfig, type HibpModule, type InstanceIdentity, type IssueFederationTokenInput, type JsonWebKeySet, type JwtSessionConfig, type JwtSessionModule, type LastLoginConfig, type LastLoginModule, type ListObjectsParams, type ListSubjectsParams, type LoginEvent, type LoginMethod, MagicLinkConfig, type OAuthProxyConfig, OAuthProxyError, type OAuthProxyModule, type OAuthProxyPluginConfig, type OidcClient, type OidcDiscoveryDocument, type OidcProviderConfig, type OidcProviderModule, type OneTapConfig, type OneTapModule, OneTapVerifyError, type OpenApiComponents, type OpenApiConfig, type OpenApiDocument, type OpenApiInfo, type OpenApiMediaType, type OpenApiModule, type OpenApiOperation, type OpenApiParameter, type OpenApiPathItem, type OpenApiRequestBody, type OpenApiResponse, type OpenApiSchema, type OpenApiSecurityRequirement, type OpenApiSecurityScheme, type OpenApiServer, OrgConfig, PasskeyConfig, type PermissionRuleSet, type PolarConfig, type PolarModule, type PolarSubscription, type ProxyTokens, type RateLimitConfig, type RateLimitMiddlewareOptions, type RateLimitResult, type RateLimiter, type ReBACConfig, type ReBACModule, type RecordCostInput, type RecordLoginInput, type RegisterClientInput, type Relationship, ResolvedUser, type ResourceNode, type ScimConfig, type ScimGroup, type ScimModule, type ScimUser, type SessionTokens, type SessionUser, type SiweConfig, type SiweModule, type SiweVerifyResult, type StreamEvent, type StripeConfig, type StripeModule, type SubscriptionInfo, type TokenParams, type TokenResponse, TotpConfig, type TrustLevel, type TrustedDevice, type TrustedDeviceConfig, type TrustedDeviceModule, type TrustedInstance, type TwoFactorConfig, type UserDataExport, type UserInfoClaims, type ValidationResult, type VerifiedSession, additionalFields, admin, anonymousAuth, apiKeys, bearerAuth, createAdditionalFieldsModule, createAnonymousAuthModule, createCostAttributionModule, createCustomSessionModule, createDeviceAuthModule, createEphemeralSessionModule, createEventStreamModule, createFederationModule, createGdprModule, createHibpModule, createJwtSessionModule, createLastLoginModule, createOAuthProxyModule, createOidcProviderModule, createOneTapModule, createOpenApiModule, createPolarModule, createRateLimiter, createReBACModule, createScimModule, createSiweModule, createStripeModule, createTrustedDeviceModule, customAuth, customSession, deviceAuth, deviceLabelFromRequest, emailOtp, gdpr, headerAuth, magicLink, oauthProxy, oneTap, organization, passkey, polar, scim, siwe, stripe, twoFactor, withRateLimit };

package/dist/auth/index.js

@@ -1,5 +1,6 @@
-export { HibpApiError, HibpBreachedError, OAuthProxyError, OneTapVerifyError, SSO_ERROR, SsoError, additionalFields, admin, anonymousAuth, apiKeys, bearerAuth, createAdditionalFieldsModule, createAdminModule, createAnonymousAuthModule, createApiKeyManagerModule, createCaptchaModule, createCustomSessionModule, createDeviceAuthModule, createEmailOtpModule, createGdprModule, createHibpModule, createJwtSessionModule, createLastLoginModule, createMagicLinkModule, createOAuthProxyModule, createOidcProviderModule, createOneTapModule, createOneTimeTokenModule, createOpenApiModule, createOrgModule, createPasskeyModule, createPhoneAuthModule, createPolarModule, createRateLimiter, createScimModule, createSiweModule, createSsoModule, createStripeModule, createTotpModule, createTrustedDeviceModule, createUsernameAuthModule, createWebhookModule, customAuth, customSession, deviceAuth, deviceLabelFromRequest, emailOtp, gdpr, headerAuth, magicLink, oauthProxy, oneTap, organization, passkey, polar, scim, siwe, stripe, twoFactor, withRateLimit } from '../chunk-KL6XW4S4.js';
-import '../chunk-V66UUIA7.js';
-import '../chunk-PZ5AY32C.js';
+export { EVENT_TYPES, HibpApiError, HibpBreachedError, OAuthProxyError, OneTapVerifyError, SSO_ERROR, SsoError, additionalFields, admin, anonymousAuth, apiKeys, bearerAuth, createAdditionalFieldsModule, createAdminModule, createAnonymousAuthModule, createApiKeyManagerModule, createCaptchaModule, createCostAttributionModule, createCustomSessionModule, createDeviceAuthModule, createEmailOtpModule, createEmailVerificationModule, createEphemeralSessionModule, createEventStreamModule, createFederationModule, createGdprModule, createHibpModule, createJwtSessionModule, createLastLoginModule, createMagicLinkModule, createOAuthProxyModule, createOidcProviderModule, createOneTapModule, createOneTimeTokenModule, createOpenApiModule, createOrgModule, createPasskeyModule, createPasswordResetModule, createPhoneAuthModule, createPolarModule, createRateLimiter, createReBACModule, createScimModule, createSiweModule, createSsoModule, createStripeModule, createTotpModule, createTrustedDeviceModule, createUsernameAuthModule, createWebhookModule, customAuth, customSession, deviceAuth, deviceLabelFromRequest, emailOtp, gdpr, headerAuth, magicLink, oauthProxy, oneTap, organization, passkey, polar, scim, siwe, stripe, twoFactor, withRateLimit } from '../chunk-FKVAXCNJ.js';
+import '../chunk-KDL6A76K.js';
+import '../chunk-QCRHJMDX.js';
+import '../chunk-NSBPE2FW.js';
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map