mulguard 1.1.2 → 1.1.4

package/dist/index/index.mjs

@@ -1,53 +1,53 @@
-var H = Object.defineProperty;
-var K = (r, e, s) => e in r ? H(r, e, { enumerable: !0, configurable: !0, writable: !0, value: s }) : r[e] = s;
-var F = (r, e, s) => K(r, typeof e != "symbol" ? e + "" : e, s);
-import { A as y, e as X, c as Y, g as G, d as J } from "../actions-DeCfLtHA.mjs";
-import { a as Qe, s as Ze, b as er, v as rr } from "../actions-DeCfLtHA.mjs";
-import { v as x } from "../oauth-state-LE-qeq-K.mjs";
-import { c as sr, p as nr, k as or, n as ir, m as ar, j as cr, l as lr, e as ur, g as fr, b as dr, i as gr, a as hr, o as wr, f as mr, h as pr, r as yr, d as Er, s as kr } from "../oauth-state-LE-qeq-K.mjs";
-import { NextResponse as f } from "next/server";
-const j = typeof globalThis == "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
+var ne = Object.defineProperty;
+var se = (e, r, t) => r in e ? ne(e, r, { enumerable: !0, configurable: !0, writable: !0, value: t }) : e[r] = t;
+var U = (e, r, t) => se(e, typeof r != "symbol" ? r + "" : r, t);
+import { A as m, d as ie, e as oe, c as ae, g as ce } from "../actions-DeCfLtHA.mjs";
+import { a as ft, s as dt, b as ht, v as gt } from "../actions-DeCfLtHA.mjs";
+import { v as N } from "../oauth-state-LE-qeq-K.mjs";
+import { c as pt, p as mt, k as Et, n as yt, m as kt, j as vt, l as St, e as Rt, g as At, b as Ot, i as Tt, a as It, o as _t, f as Pt, h as Ct, r as bt, d as Ut, s as Nt } from "../oauth-state-LE-qeq-K.mjs";
+import { NextResponse as E } from "next/server";
+const x = typeof globalThis == "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
 /*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-function Q(r = 32) {
-  if (j && typeof j.getRandomValues == "function")
-    return j.getRandomValues(new Uint8Array(r));
-  if (j && typeof j.randomBytes == "function")
-    return Uint8Array.from(j.randomBytes(r));
+function ue(e = 32) {
+  if (x && typeof x.getRandomValues == "function")
+    return x.getRandomValues(new Uint8Array(e));
+  if (x && typeof x.randomBytes == "function")
+    return Uint8Array.from(x.randomBytes(e));
   throw new Error("crypto.getRandomValues must be defined");
 }
-class Z {
-  constructor(e) {
-    F(this, "attempts", /* @__PURE__ */ new Map());
-    F(this, "config");
-    this.config = e;
+class le {
+  constructor(r) {
+    U(this, "attempts", /* @__PURE__ */ new Map());
+    U(this, "config");
+    this.config = r;
   }
   /**
    * Check if request is allowed
    */
-  check(e) {
-    const s = Date.now(), t = this.attempts.get(e);
-    return !t || t.resetAt < s ? (this.attempts.set(e, {
+  check(r) {
+    const t = Date.now(), n = this.attempts.get(r);
+    return !n || n.resetAt < t ? (this.attempts.set(r, {
       count: 1,
-      resetAt: s + this.config.windowMs
+      resetAt: t + this.config.windowMs
     }), {
       allowed: !0,
       remaining: this.config.maxAttempts - 1,
-      resetAt: new Date(s + this.config.windowMs)
-    }) : t.count >= this.config.maxAttempts ? {
+      resetAt: new Date(t + this.config.windowMs)
+    }) : n.count >= this.config.maxAttempts ? {
       allowed: !1,
       remaining: 0,
-      resetAt: new Date(t.resetAt)
-    } : (t.count++, {
+      resetAt: new Date(n.resetAt)
+    } : (n.count++, {
       allowed: !0,
-      remaining: this.config.maxAttempts - t.count,
-      resetAt: new Date(t.resetAt)
+      remaining: this.config.maxAttempts - n.count,
+      resetAt: new Date(n.resetAt)
     });
   }
   /**
    * Reset rate limit for a key
    */
-  reset(e) {
-    this.attempts.delete(e);
+  reset(r) {
+    this.attempts.delete(r);
   }
   /**
    * Clear all rate limits
@@ -56,10 +56,10 @@ class Z {
     this.attempts.clear();
   }
 }
-function ve(r) {
-  return new Z(r);
+function Or(e) {
+  return new le(e);
 }
-const ee = {
+const fe = {
   "X-Content-Type-Options": "nosniff",
   "X-Frame-Options": "DENY",
   "X-XSS-Protection": "1; mode=block",
@@ -68,163 +68,203 @@ const ee = {
   "Referrer-Policy": "strict-origin-when-cross-origin",
   "Permissions-Policy": "geolocation=(), microphone=(), camera=()"
 };
-function q(r) {
+function H(e) {
   return {
-    ...ee,
-    ...r
+    ...fe,
+    ...e
   };
 }
-function Re(r, e) {
-  const s = q(e);
-  for (const [t, o] of Object.entries(s))
-    o && r.set(t, o);
+function Tr(e, r) {
+  const t = H(r);
+  for (const [n, s] of Object.entries(t))
+    s && e.set(n, s);
 }
-function M(r) {
-  if (!r || typeof r != "string")
+const de = /^[^\s@]+@[^\s@]+\.[^\s@]+$/, he = 254;
+function G(e) {
+  var t;
+  if (typeof e != "string" || !e)
     return { valid: !1, error: "Email is required" };
-  const e = r.trim().toLowerCase();
-  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e) ? e.length > 254 ? { valid: !1, error: "Email is too long" } : e.includes("..") || e.startsWith(".") || e.endsWith(".") ? { valid: !1, error: "Invalid email format" } : { valid: !0, sanitized: e } : { valid: !1, error: "Invalid email format" };
+  const r = e.trim().toLowerCase();
+  return de.test(r) ? r.length > he ? { valid: !1, error: "Email is too long" } : r.includes("..") || r.startsWith(".") || r.endsWith(".") ? { valid: !1, error: "Invalid email format" } : (t = r.split("@")[1]) != null && t.includes("..") ? { valid: !1, error: "Invalid email format" } : { valid: !0, sanitized: r } : { valid: !1, error: "Invalid email format" };
 }
-function Ae(r, e = 8) {
-  if (!r || typeof r != "string")
+function K(e) {
+  return e.valid === !0 && e.sanitized !== void 0;
+}
+const ge = /* @__PURE__ */ new Set([
+  "password",
+  "12345678",
+  "qwerty",
+  "abc123",
+  "password123",
+  "123456789",
+  "1234567890",
+  "letmein",
+  "welcome",
+  "monkey",
+  "dragon",
+  "master",
+  "sunshine",
+  "princess",
+  "football",
+  "admin",
+  "root",
+  "test",
+  "guest",
+  "user"
+]), we = /012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i, pe = 8, me = 128;
+function Ir(e, r = pe) {
+  if (typeof e != "string" || !e)
     return { valid: !1, error: "Password is required" };
-  if (r.length < e)
-    return { valid: !1, error: `Password must be at least ${e} characters` };
-  if (r.length > 128)
+  if (e.length < r)
+    return { valid: !1, error: `Password must be at least ${r} characters` };
+  if (e.length > me)
     return { valid: !1, error: "Password is too long" };
-  if ([
-    "password",
-    "12345678",
-    "qwerty",
-    "abc123",
-    "password123",
-    "123456789",
-    "1234567890",
-    "letmein",
-    "welcome",
-    "monkey",
-    "dragon",
-    "master",
-    "sunshine",
-    "princess",
-    "football"
-  ].includes(r.toLowerCase()))
+  const t = e.toLowerCase();
+  if (ge.has(t))
     return { valid: !1, error: "Password is too common" };
-  if (/(.)\1{3,}/.test(r))
+  if (/(.)\1{3,}/.test(e))
     return { valid: !1, error: "Password contains too many repeated characters" };
-  if (/012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i.test(r))
+  if (we.test(e))
     return { valid: !1, error: "Password contains sequential characters" };
-  let t = "weak", o = 0;
-  return r.length >= 12 ? o += 2 : r.length >= 8 && (o += 1), /[a-z]/.test(r) && (o += 1), /[A-Z]/.test(r) && (o += 1), /[0-9]/.test(r) && (o += 1), /[^a-zA-Z0-9]/.test(r) && (o += 1), o >= 5 ? t = "strong" : o >= 3 && (t = "medium"), { valid: !0, strength: t };
+  const n = Ee(e);
+  return { valid: !0, sanitized: e, strength: n };
 }
-function Se(r) {
-  if (!r || typeof r != "string")
+function Ee(e) {
+  let r = 0;
+  return e.length >= 12 ? r += 2 : e.length >= 8 && (r += 1), /[a-z]/.test(e) && (r += 1), /[A-Z]/.test(e) && (r += 1), /[0-9]/.test(e) && (r += 1), /[^a-zA-Z0-9]/.test(e) && (r += 1), r >= 5 ? "strong" : r >= 3 ? "medium" : "weak";
+}
+function _r(e) {
+  return e.valid === !0 && e.sanitized !== void 0;
+}
+const ye = 100;
+function Pr(e) {
+  if (typeof e != "string" || !e)
     return { valid: !1, error: "Name is required" };
-  const e = r.trim();
-  return e.length < 1 ? { valid: !1, error: "Name cannot be empty" } : e.length > 100 ? { valid: !1, error: "Name is too long" } : { valid: !0, sanitized: e.replace(/[<>\"']/g, "") };
+  const r = e.trim();
+  if (r.length < 1)
+    return { valid: !1, error: "Name cannot be empty" };
+  if (r.length > ye)
+    return { valid: !1, error: "Name is too long" };
+  const t = r.replace(/[<>"']/g, "");
+  return t.length === 0 ? { valid: !1, error: "Name contains only invalid characters" } : { valid: !0, sanitized: t };
 }
-function Ie(r) {
-  if (!r || typeof r != "string")
+function Cr(e) {
+  return e.valid === !0 && e.sanitized !== void 0;
+}
+const ke = /* @__PURE__ */ new Set(["http:", "https:"]);
+function br(e) {
+  if (typeof e != "string" || !e)
     return { valid: !1, error: "URL is required" };
   try {
-    const e = new URL(r);
-    return ["http:", "https:"].includes(e.protocol) ? { valid: !0 } : { valid: !1, error: "URL must use http or https protocol" };
+    const r = new URL(e);
+    return ke.has(r.protocol) ? { valid: !0, sanitized: e } : { valid: !1, error: "URL must use http or https protocol" };
   } catch {
     return { valid: !1, error: "Invalid URL format" };
   }
 }
-function _e(r, e = 16) {
-  return !r || typeof r != "string" ? { valid: !1, error: "Token is required" } : r.length < e ? { valid: !1, error: "Token is too short" } : r.length > 512 ? { valid: !1, error: "Token is too long" } : /^[A-Za-z0-9_-]+$/.test(r) ? /(.)\1{10,}/.test(r) ? { valid: !1, error: "Token contains suspicious pattern" } : { valid: !0 } : { valid: !1, error: "Invalid token format" };
+function Ur(e) {
+  return e.valid === !0 && e.sanitized !== void 0;
+}
+const ve = 16, Se = 512, Re = /^[A-Za-z0-9_-]+$/;
+function Nr(e, r = ve) {
+  return typeof e != "string" || !e ? { valid: !1, error: "Token is required" } : e.length < r ? { valid: !1, error: "Token is too short" } : e.length > Se ? { valid: !1, error: "Token is too long" } : Re.test(e) ? /(.)\1{10,}/.test(e) ? { valid: !1, error: "Token contains suspicious pattern" } : { valid: !0, sanitized: e } : { valid: !1, error: "Invalid token format" };
 }
-function z(r, e) {
-  const { maxLength: s = 1e3, allowHtml: t = !1, required: o = !0 } = e || {};
-  if (o && (!r || typeof r != "string" || r.trim().length === 0))
+function Fr(e) {
+  return e.valid === !0 && e.sanitized !== void 0;
+}
+const Ae = 1e3;
+function X(e, r) {
+  const { maxLength: t = Ae, allowHtml: n = !1, required: s = !0 } = r ?? {};
+  if (s && (typeof e != "string" || !e || e.trim().length === 0))
     return { valid: !1, error: "Input is required" };
-  if (!r || typeof r != "string")
+  if (typeof e != "string" || !e)
     return { valid: !0, sanitized: "" };
-  let d = r.trim();
-  return d.length > s ? { valid: !1, error: `Input must be less than ${s} characters` } : (t || (d = d.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;").replace(/\//g, "&#x2F;")), d = d.replace(/[\x00-\x1F\x7F]/g, ""), { valid: !0, sanitized: d });
+  let i = e.trim();
+  return i.length > t ? { valid: !1, error: `Input must be less than ${t} characters` } : (n || (i = i.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;").replace(/\//g, "&#x2F;")), i = i.replace(/[\x00-\x1F\x7F]/g, ""), { valid: !0, sanitized: i });
+}
+function xr(e) {
+  return e.valid === !0 && e.sanitized !== void 0;
 }
-class re {
+class Oe {
   constructor() {
-    F(this, "tokens", /* @__PURE__ */ new Map());
+    U(this, "tokens", /* @__PURE__ */ new Map());
   }
-  get(e) {
-    const s = this.tokens.get(e);
-    return s ? s.expiresAt < Date.now() ? (this.delete(e), null) : s.value : null;
+  get(r) {
+    const t = this.tokens.get(r);
+    return t ? t.expiresAt < Date.now() ? (this.delete(r), null) : t.value : null;
   }
-  set(e, s, t = 36e5) {
-    this.tokens.set(e, {
-      value: s,
-      expiresAt: Date.now() + t
+  set(r, t, n = 36e5) {
+    this.tokens.set(r, {
+      value: t,
+      expiresAt: Date.now() + n
     });
   }
-  delete(e) {
-    this.tokens.delete(e);
+  delete(r) {
+    this.tokens.delete(r);
   }
   clear() {
     this.tokens.clear();
   }
 }
-class te {
-  constructor(e, s = 32) {
-    F(this, "store");
-    F(this, "tokenLength");
-    this.store = e || new re(), this.tokenLength = s;
+class Te {
+  constructor(r, t = 32) {
+    U(this, "store");
+    U(this, "tokenLength");
+    this.store = r || new Oe(), this.tokenLength = t;
   }
   /**
    * Generate CSRF token
    */
-  generateToken(e, s) {
-    const t = B(this.tokenLength);
-    return this.store.set(e, t, s), t;
+  generateToken(r, t) {
+    const n = Y(this.tokenLength);
+    return this.store.set(r, n, t), n;
   }
   /**
    * Validate CSRF token
    */
-  validateToken(e, s) {
-    const t = this.store.get(e);
-    if (!t)
+  validateToken(r, t) {
+    const n = this.store.get(r);
+    if (!n)
       return !1;
-    const o = oe(s, t);
-    return o && this.store.delete(e), o;
+    const s = Q(t, n);
+    return s && this.store.delete(r), s;
   }
   /**
    * Get stored token without validating
    */
-  getToken(e) {
-    return this.store.get(e);
+  getToken(r) {
+    return this.store.get(r);
   }
   /**
    * Delete token
    */
-  deleteToken(e) {
-    this.store.delete(e);
+  deleteToken(r) {
+    this.store.delete(r);
   }
 }
-function Oe(r) {
-  return new te(r);
+function Dr(e) {
+  return new Te(e);
 }
-function se(r) {
-  if (typeof r != "string")
+function Ie(e) {
+  if (typeof e != "string")
     return "";
-  const e = {
+  const r = {
     "&": "&amp;",
     "<": "&lt;",
     ">": "&gt;",
     '"': "&quot;",
     "'": "&#039;"
   };
-  return r.replace(/[&<>"']/g, (s) => e[s] || s);
+  return e.replace(/[&<>"']/g, (t) => r[t] || t);
 }
-function be(r) {
-  return typeof r != "string" ? "" : r.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "").replace(/on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:/gi, "");
+function Lr(e) {
+  return typeof e != "string" ? "" : e.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "").replace(/on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:/gi, "");
 }
-function Te(r) {
-  return typeof r != "string" ? "" : se(r.trim());
+function Mr(e) {
+  return typeof e != "string" ? "" : Ie(e.trim());
 }
-function Pe(r) {
-  return typeof r != "string" ? !1 : [
+function Vr(e) {
+  return typeof e != "string" ? !1 : [
     /<script/i,
     /javascript:/i,
     /on\w+\s*=/i,
@@ -235,88 +275,95 @@ function Pe(r) {
     /<meta/i,
     /expression\s*\(/i,
     /vbscript:/i
-  ].some((s) => s.test(r));
+  ].some((t) => t.test(e));
 }
-function B(r = 32) {
-  const e = Q(r);
-  return Buffer.from(e).toString("base64url");
+const J = 32;
+function Y(e = J) {
+  if (e < 1 || e > 256)
+    throw new Error("Token length must be between 1 and 256 bytes");
+  const r = ue(e);
+  return Buffer.from(r).toString("base64url");
 }
-function ne() {
-  return B(32);
+function _e() {
+  return Y(J);
 }
-function oe(r, e) {
-  if (!r || !e || r.length !== e.length)
+function Q(e, r) {
+  if (typeof e != "string" || typeof r != "string" || !e || !r || e.length !== r.length)
     return !1;
-  let s = 0;
-  for (let t = 0; t < r.length; t++)
-    s |= r.charCodeAt(t) ^ e.charCodeAt(t);
-  return s === 0;
+  let t = 0;
+  for (let n = 0; n < e.length; n++)
+    t |= e.charCodeAt(n) ^ r.charCodeAt(n);
+  return t === 0;
 }
-function Ce(r) {
-  return r.trim().replace(/[<>]/g, "");
+function jr(e, r) {
+  return Q(e, r);
 }
-function Ue(r) {
-  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(r);
+function zr(e) {
+  return typeof e != "string" ? "" : e.trim().replace(/[<>]/g, "");
 }
-function ie(r) {
-  return !r.success && !!r.error;
+const Pe = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+function $r(e) {
+  return typeof e == "string" && Pe.test(e);
 }
-function Ne(r) {
-  return r.requires2FA === !0 || r.errorCode === y.TWO_FA_REQUIRED;
+function Ce(e) {
+  return !e.success && !!e.error;
 }
-function Fe(r, e) {
-  return r.error ? r.error : e || "Authentication failed";
+function Wr(e) {
+  return e.requires2FA === !0 || e.errorCode === m.TWO_FA_REQUIRED;
 }
-function xe(r) {
-  return r.errorCode;
+function qr(e, r) {
+  return e.error ? e.error : r || "Authentication failed";
 }
-function Le(r) {
-  return r.success === !0 && !!r.user;
+function Br(e) {
+  return e.errorCode;
 }
-function je(r, e) {
-  return r.errorCode === e;
+function Hr(e) {
+  return e.success === !0 && !!e.user;
 }
-function De(r) {
-  if (!ie(r)) return !1;
-  const e = [
-    y.NETWORK_ERROR,
-    y.RATE_LIMITED,
-    y.UNKNOWN_ERROR
+function Gr(e, r) {
+  return e.errorCode === r;
+}
+function Kr(e) {
+  if (!Ce(e)) return !1;
+  const r = [
+    m.NETWORK_ERROR,
+    m.RATE_LIMITED,
+    m.UNKNOWN_ERROR
   ];
-  return r.errorCode ? e.includes(r.errorCode) : !1;
+  return e.errorCode ? r.includes(e.errorCode) : !1;
 }
-function Ve(r) {
-  if (r.error) return r.error;
-  switch (r.errorCode) {
-    case y.INVALID_CREDENTIALS:
+function Xr(e) {
+  if (e.error) return e.error;
+  switch (e.errorCode) {
+    case m.INVALID_CREDENTIALS:
       return "Invalid email or password. Please try again.";
-    case y.ACCOUNT_LOCKED:
+    case m.ACCOUNT_LOCKED:
       return "Your account has been temporarily locked. Please try again later.";
-    case y.ACCOUNT_INACTIVE:
+    case m.ACCOUNT_INACTIVE:
       return "Your account is inactive. Please contact support.";
-    case y.TWO_FA_REQUIRED:
+    case m.TWO_FA_REQUIRED:
       return "Two-factor authentication is required. Please enter your code.";
-    case y.INVALID_TWO_FA_CODE:
+    case m.INVALID_TWO_FA_CODE:
       return "Invalid two-factor authentication code. Please try again.";
-    case y.SESSION_EXPIRED:
+    case m.SESSION_EXPIRED:
       return "Your session has expired. Please sign in again.";
-    case y.UNAUTHORIZED:
+    case m.UNAUTHORIZED:
       return "You are not authorized to perform this action.";
-    case y.NETWORK_ERROR:
+    case m.NETWORK_ERROR:
       return "Network error. Please check your connection and try again.";
-    case y.VALIDATION_ERROR:
+    case m.VALIDATION_ERROR:
       return "Please check your input and try again.";
-    case y.RATE_LIMITED:
+    case m.RATE_LIMITED:
       return "Too many attempts. Please try again later.";
-    case y.UNKNOWN_ERROR:
+    case m.UNKNOWN_ERROR:
     default:
       return "An unexpected error occurred. Please try again.";
   }
 }
-async function $e(r, e, s) {
-  return r.signIn(e, s);
+async function Jr(e, r, t) {
+  return e.signIn(r, t);
 }
-const ae = {
+const Z = {
   google: {
     authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
     tokenUrl: "https://oauth2.googleapis.com/token",
@@ -346,254 +393,424 @@ const ae = {
     defaultScopes: ["email", "public_profile"]
   }
 };
-function $(r) {
-  return ae[r] || null;
-}
-function ce(r, e, s, t) {
-  const o = $(r);
-  if (!o)
-    throw new Error(`Unknown OAuth provider: ${r}`);
-  const d = e.redirectUri || `${s}/api/auth/callback/${r}`, c = e.scopes || o.defaultScopes, a = new URLSearchParams({
-    client_id: e.clientId,
-    redirect_uri: d,
+function j(e) {
+  return Z[e] ?? null;
+}
+function Yr(e) {
+  return e in Z;
+}
+function be(e, r, t, n) {
+  const s = j(e);
+  if (!s)
+    throw new Error(`Unknown OAuth provider: ${e}`);
+  if (!r.clientId)
+    throw new Error(`OAuth provider "${e}" is missing clientId`);
+  const i = r.redirectUri ?? `${t}/api/auth/callback/${e}`, o = r.scopes ?? s.defaultScopes, a = new URLSearchParams({
+    client_id: r.clientId,
+    redirect_uri: i,
     response_type: "code",
-    scope: c.join(" "),
-    state: t,
-    ...o.defaultParams,
-    ...e.params
+    scope: Array.isArray(o) ? o.join(" ") : String(o),
+    state: n
   });
-  return `${o.authorizationUrl}?${a.toString()}`;
-}
-async function le(r, e, s, t) {
-  const o = $(r);
-  if (!o)
-    throw new Error(`Unknown OAuth provider: ${r}`);
-  const d = new URLSearchParams({
-    client_id: e.clientId,
-    code: s,
-    redirect_uri: t,
+  if (s.defaultParams)
+    for (const [l, f] of Object.entries(s.defaultParams))
+      a.append(l, f);
+  if (r.params)
+    for (const [l, f] of Object.entries(r.params))
+      a.set(l, f);
+  return `${s.authorizationUrl}?${a.toString()}`;
+}
+async function Ue(e, r, t, n) {
+  const s = j(e);
+  if (!s)
+    throw new Error(`Unknown OAuth provider: ${e}`);
+  if (!t || typeof t != "string")
+    throw new Error("Authorization code is required");
+  if (!r.clientId)
+    throw new Error(`OAuth provider "${e}" is missing clientId`);
+  const i = new URLSearchParams({
+    client_id: r.clientId,
+    code: t,
+    redirect_uri: n,
     grant_type: "authorization_code"
   });
-  e.clientSecret && d.append("client_secret", e.clientSecret);
-  const c = await fetch(o.tokenUrl, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-      Accept: "application/json"
-    },
-    body: d.toString()
-  });
-  if (!c.ok) {
-    const a = await c.text();
-    throw new Error(`Failed to exchange code for tokens: ${a}`);
+  r.clientSecret && i.append("client_secret", r.clientSecret);
+  try {
+    const o = await fetch(s.tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json"
+      },
+      body: i.toString()
+    });
+    if (!o.ok) {
+      const l = await o.text();
+      let f = `Failed to exchange code for tokens: ${l}`;
+      try {
+        const w = JSON.parse(l);
+        f = w.error_description ?? w.error ?? f;
+      } catch {
+      }
+      throw new Error(f);
+    }
+    const a = await o.json();
+    if (!Ne(a))
+      throw new Error("Invalid token exchange response format");
+    return a;
+  } catch (o) {
+    throw o instanceof Error ? o : new Error(`OAuth token exchange failed: ${String(o)}`);
   }
-  return await c.json();
 }
-async function ue(r, e) {
-  var d, c, a, m;
-  const s = $(r);
-  if (!s)
-    throw new Error(`Unknown OAuth provider: ${r}`);
-  const t = await fetch(s.userInfoUrl, {
-    headers: {
-      Authorization: `Bearer ${e}`,
-      Accept: "application/json"
+function Ne(e) {
+  return typeof e == "object" && e !== null && "access_token" in e && typeof e.access_token == "string";
+}
+async function Fe(e, r) {
+  const t = j(e);
+  if (!t)
+    throw new Error(`Unknown OAuth provider: ${e}`);
+  if (!r || typeof r != "string")
+    throw new Error("Access token is required");
+  try {
+    const n = await fetch(t.userInfoUrl, {
+      headers: {
+        Authorization: `Bearer ${r}`,
+        Accept: "application/json"
+      }
+    });
+    if (!n.ok) {
+      const i = await n.text();
+      let o = `Failed to fetch user info: ${i}`;
+      try {
+        const a = JSON.parse(i);
+        o = a.error_description ?? a.error ?? o;
+      } catch {
+      }
+      throw new Error(o);
     }
-  });
-  if (!t.ok) {
-    const k = await t.text();
-    throw new Error(`Failed to fetch user info: ${k}`);
+    const s = await n.json();
+    return xe(e, s, r);
+  } catch (n) {
+    throw n instanceof Error ? n : new Error(`OAuth user info retrieval failed: ${String(n)}`);
   }
-  const o = await t.json();
-  switch (r) {
+}
+async function xe(e, r, t) {
+  switch (e) {
     case "google":
-      return {
-        id: o.sub || o.id,
-        email: o.email,
-        name: o.name,
-        avatar: o.picture,
-        emailVerified: o.email_verified,
-        rawProfile: o
-      };
+      return De(r);
     case "github":
-      let k = o.email, I = { ...o };
-      if (!k) {
-        const A = await (await fetch("https://api.github.com/user/emails", {
-          headers: { Authorization: `Bearer ${e}` }
-        })).json();
-        k = ((d = A.find((_) => _.primary)) == null ? void 0 : d.email) || ((c = A[0]) == null ? void 0 : c.email) || `${o.login}@users.noreply.github.com`, I = { ...o, emails: A };
-      }
-      return {
-        id: String(o.id),
-        email: k,
-        name: o.name || o.login,
-        avatar: o.avatar_url,
-        emailVerified: !!k,
-        rawProfile: I
-      };
+      return await Le(r, t);
     case "apple":
-      return {
-        id: o.sub,
-        email: o.email,
-        name: o.name ? `${o.name.firstName} ${o.name.lastName}` : "",
-        emailVerified: o.email_verified,
-        rawProfile: o
-      };
+      return Me(r);
     case "facebook":
-      return {
-        id: o.id,
-        email: o.email,
-        name: o.name,
-        avatar: (m = (a = o.picture) == null ? void 0 : a.data) == null ? void 0 : m.url,
-        emailVerified: !0,
-        rawProfile: o
-      };
+      return Ve(r);
     default:
-      return {
-        id: String(o.id || o.sub),
-        email: o.email,
-        name: o.name || o.display_name || o.username,
-        avatar: o.avatar || o.picture || o.avatar_url,
-        emailVerified: o.email_verified || o.emailVerified || !1,
-        rawProfile: o
-      };
+      return je(r);
   }
 }
-class fe {
+function De(e) {
+  return {
+    id: String(e.sub ?? e.id ?? ""),
+    email: String(e.email ?? ""),
+    name: String(e.name ?? ""),
+    avatar: typeof e.picture == "string" ? e.picture : void 0,
+    emailVerified: !!e.email_verified,
+    rawProfile: e
+  };
+}
+async function Le(e, r) {
+  let t = typeof e.email == "string" ? e.email : void 0, n = { ...e };
+  if (!t)
+    try {
+      const s = await fetch("https://api.github.com/user/emails", {
+        headers: { Authorization: `Bearer ${r}` }
+      });
+      if (s.ok) {
+        const i = await s.json(), o = i.find((a) => a.primary) ?? i[0];
+        t = (o == null ? void 0 : o.email) ?? `${String(e.login ?? "user")}@users.noreply.github.com`, n = { ...e, emails: i };
+      } else
+        t = `${String(e.login ?? "user")}@users.noreply.github.com`;
+    } catch {
+      t = `${String(e.login ?? "user")}@users.noreply.github.com`;
+    }
+  return {
+    id: String(e.id ?? ""),
+    email: t ?? "",
+    name: String(e.name ?? e.login ?? ""),
+    avatar: typeof e.avatar_url == "string" ? e.avatar_url : void 0,
+    emailVerified: !!t,
+    rawProfile: n
+  };
+}
+function Me(e) {
+  const r = e.name, t = r ? `${r.firstName ?? ""} ${r.lastName ?? ""}`.trim() : "";
+  return {
+    id: String(e.sub ?? ""),
+    email: String(e.email ?? ""),
+    name: t,
+    emailVerified: !!e.email_verified,
+    rawProfile: e
+  };
+}
+function Ve(e) {
+  var t;
+  const r = e.picture;
+  return {
+    id: String(e.id ?? ""),
+    email: String(e.email ?? ""),
+    name: String(e.name ?? ""),
+    avatar: (t = r == null ? void 0 : r.data) == null ? void 0 : t.url,
+    emailVerified: !0,
+    rawProfile: e
+  };
+}
+function je(e) {
+  return {
+    id: String(e.id ?? e.sub ?? ""),
+    email: String(e.email ?? ""),
+    name: String(e.name ?? e.display_name ?? e.username ?? ""),
+    avatar: typeof e.avatar == "string" ? e.avatar : typeof e.picture == "string" ? e.picture : typeof e.avatar_url == "string" ? e.avatar_url : void 0,
+    emailVerified: !!(e.email_verified ?? e.emailVerified ?? !1),
+    rawProfile: e
+  };
+}
+function Qr(e) {
+  return typeof e == "object" && e !== null && "clientId" in e && typeof e.clientId == "string";
+}
+class ze {
   constructor() {
-    F(this, "states", /* @__PURE__ */ new Map());
+    U(this, "states", /* @__PURE__ */ new Map());
   }
-  set(e, s, t) {
-    this.states.set(e, s), this.cleanup();
+  set(r, t, n) {
+    this.states.set(r, t), this.cleanup();
   }
-  get(e) {
-    const s = this.states.get(e);
-    return s ? s.expiresAt < Date.now() ? (this.delete(e), null) : s : null;
+  get(r) {
+    const t = this.states.get(r);
+    return t ? t.expiresAt < Date.now() ? (this.delete(r), null) : t : null;
   }
-  delete(e) {
-    this.states.delete(e);
+  delete(r) {
+    this.states.delete(r);
   }
   cleanup() {
-    const e = Date.now();
-    for (const [s, t] of this.states.entries())
-      t.expiresAt < e && this.states.delete(s);
+    const r = Date.now();
+    for (const [t, n] of this.states.entries())
+      n.expiresAt < r && this.states.delete(t);
   }
 }
-function de() {
-  return new fe();
+function $e() {
+  return new ze();
+}
+function Zr(e, r = "mulguard:oauth:state:") {
+  const t = (s) => `${r}${s}`, n = async (s) => {
+    const i = t(s);
+    await e.del(i);
+  };
+  return {
+    async set(s, i, o) {
+      const a = t(s), l = JSON.stringify(i);
+      await e.set(a, l, "EX", Math.floor(o / 1e3));
+    },
+    async get(s) {
+      const i = t(s), o = await e.get(i);
+      if (!o)
+        return null;
+      try {
+        const a = JSON.parse(o);
+        return a.expiresAt < Date.now() ? (await n(s), null) : a;
+      } catch {
+        return await n(s), null;
+      }
+    },
+    async delete(s) {
+      await n(s);
+    },
+    async cleanup() {
+      try {
+        const s = await e.keys(`${r}*`), i = Date.now();
+        for (const o of s) {
+          const a = await e.get(o);
+          if (a)
+            try {
+              JSON.parse(a).expiresAt < i && await e.del(o);
+            } catch {
+              await e.del(o);
+            }
+        }
+      } catch (s) {
+        console.warn("[Mulguard] OAuth state cleanup warning:", s);
+      }
+    }
+  };
+}
+function D(e) {
+  return e.success === !0 && e.user !== void 0 && e.session !== void 0;
 }
-function ge(r = process.env.NODE_ENV === "development") {
-  const e = "[Mulguard]";
+var ee = /* @__PURE__ */ ((e) => (e[e.DEBUG = 0] = "DEBUG", e[e.INFO = 1] = "INFO", e[e.WARN = 2] = "WARN", e[e.ERROR = 3] = "ERROR", e))(ee || {});
+const We = process.env.NODE_ENV === "development" ? 0 : 1;
+function qe(e = {}) {
+  const {
+    enabled: r = process.env.NODE_ENV === "development",
+    level: t = We,
+    context: n,
+    formatter: s = Be
+  } = e, i = (a) => r && a >= t, o = (a, l, f, w) => ({
+    level: a,
+    message: l,
+    timestamp: /* @__PURE__ */ new Date(),
+    context: n,
+    data: f ? He(f) : void 0,
+    error: w
+  });
   return {
-    debug: r ? (s, t) => {
-      t !== void 0 ? console.debug(`${e} ${s}`, t) : console.debug(`${e} ${s}`);
-    } : () => {
+    debug: (a, l) => {
+      if (i(
+        0
+        /* DEBUG */
+      )) {
+        const f = o(0, a, l);
+        console.debug(s(f));
+      }
     },
-    info: r ? (s, t) => {
-      t !== void 0 ? console.info(`${e} ${s}`, t) : console.info(`${e} ${s}`);
-    } : () => {
+    info: (a, l) => {
+      if (i(
+        1
+        /* INFO */
+      )) {
+        const f = o(1, a, l);
+        console.info(s(f));
+      }
     },
-    warn: r ? (s, t) => {
-      t !== void 0 ? console.warn(`${e} ${s}`, t) : console.warn(`${e} ${s}`);
-    } : () => {
+    warn: (a, l) => {
+      if (i(
+        2
+        /* WARN */
+      )) {
+        const f = o(2, a, l);
+        console.warn(s(f));
+      }
     },
-    error: r ? (s, t) => {
-      t !== void 0 ? console.error(`${e} ${s}`, t) : console.error(`${e} ${s}`);
-    } : () => {
+    error: (a, l) => {
+      if (i(
+        3
+        /* ERROR */
+      )) {
+        const f = l instanceof Error ? l : void 0, w = l instanceof Error ? void 0 : l, g = o(3, a, w, f);
+        console.error(s(g)), f && console.error(f);
+      }
     }
   };
 }
-const P = ge();
-function he(r, e, s, t = {}) {
+function Be(e) {
+  const r = e.timestamp.toISOString(), t = ee[e.level], n = e.context ? `[${e.context}]` : "", s = e.data ? ` ${JSON.stringify(e.data)}` : "";
+  return `${r} [${t}]${n} ${e.message}${s}`;
+}
+function He(e) {
+  const r = /* @__PURE__ */ new Set(["password", "token", "secret", "key", "accessToken", "refreshToken"]), t = {};
+  for (const [n, s] of Object.entries(e))
+    if (r.has(n.toLowerCase()))
+      t[n] = "***REDACTED***";
+    else if (typeof s == "string" && n.toLowerCase().includes("email")) {
+      const i = s.split("@");
+      if (i.length === 2 && i[0]) {
+        const o = i[0].substring(0, 3) + "***@" + i[1];
+        t[n] = o;
+      } else
+        t[n] = s;
+    } else
+      t[n] = s;
+  return t;
+}
+const I = qe();
+function Ge(e, r, t, n = {}) {
   const {
-    enabled: o = !0,
-    maxRetries: d = 1,
-    retryDelay: c = 1e3,
+    enabled: s = !0,
+    maxRetries: i = 1,
+    retryDelay: o = 1e3,
     rateLimit: a = 3,
-    autoSignOutOnFailure: m = !0,
-    redirectToLogin: k = "/login",
-    autoRedirectOnFailure: I = !0
-  } = t;
+    autoSignOutOnFailure: l = !0,
+    redirectToLogin: f = "/login",
+    autoRedirectOnFailure: w = !0
+  } = n;
   let g = null, A = !1;
-  const _ = [], b = [], U = 60 * 1e3;
-  let T = 0, O = !1, C = null;
-  const D = 2, V = 60 * 1e3;
-  function n() {
-    const l = Date.now();
-    if (O && C) {
-      if (l < C)
+  const S = [], v = [], y = 60 * 1e3;
+  let h = 0, T = !1, _ = null;
+  const L = 2, M = 60 * 1e3;
+  function c() {
+    const k = Date.now();
+    if (T && _) {
+      if (k < _)
         return !1;
-      O = !1, C = null, T = 0;
+      T = !1, _ = null, h = 0;
     }
-    for (; b.length > 0; ) {
-      const w = b[0];
-      if (w !== void 0 && w < l - U)
-        b.shift();
+    for (; v.length > 0; ) {
+      const p = v[0];
+      if (p !== void 0 && p < k - y)
+        v.shift();
       else
         break;
     }
-    return b.length >= a ? !1 : (b.push(l), !0);
-  }
-  function i() {
-    T++, T >= D && (O = !0, C = Date.now() + V, process.env.NODE_ENV === "development" && console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"));
+    return v.length >= a ? !1 : (v.push(k), !0);
   }
   function u() {
-    T = 0, O = !1, C = null;
+    h++, h >= L && (T = !0, _ = Date.now() + M, process.env.NODE_ENV === "development" && console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"));
   }
-  async function p(l = 1) {
-    if (!o)
+  function d() {
+    h = 0, T = !1, _ = null;
+  }
+  async function R(k = 1) {
+    if (!s)
       return null;
-    if (!n())
+    if (!c())
       throw new Error("Rate limit exceeded for token refresh");
     try {
-      const w = await r();
-      if (w)
-        return u(), S(w), t.onTokenRefreshed && await Promise.resolve(t.onTokenRefreshed(w)), w;
-      if (i(), l < d)
-        return await h(c * l), p(l + 1);
+      const p = await e();
+      if (p)
+        return d(), P(p), n.onTokenRefreshed && await Promise.resolve(n.onTokenRefreshed(p)), p;
+      if (u(), k < i)
+        return await $(o * k), R(k + 1);
       throw new Error("Token refresh failed: refresh function returned null");
-    } catch (w) {
-      if (i(), l < d && R(w))
-        return await h(c * l), p(l + 1);
-      throw w;
+    } catch (p) {
+      if (u(), k < i && C(p))
+        return await $(o * k), R(k + 1);
+      throw p;
     }
   }
-  function R(l) {
-    if (l instanceof Error) {
-      const w = l.message.toLowerCase();
-      if (w.includes("rate limit") || w.includes("too many requests") || w.includes("429") || w.includes("limit:") || w.includes("requests per minute") || w.includes("token_blacklisted") || w.includes("blacklisted") || w.includes("invalid") || w.includes("401") || w.includes("unauthorized") || w.includes("session has been revoked") || w.includes("session expired"))
+  function C(k) {
+    if (k instanceof Error) {
+      const p = k.message.toLowerCase();
+      if (p.includes("rate limit") || p.includes("too many requests") || p.includes("429") || p.includes("limit:") || p.includes("requests per minute") || p.includes("token_blacklisted") || p.includes("blacklisted") || p.includes("invalid") || p.includes("401") || p.includes("unauthorized") || p.includes("session has been revoked") || p.includes("session expired"))
         return !1;
-      if (w.includes("network") || w.includes("fetch") || w.includes("timeout"))
+      if (p.includes("network") || p.includes("fetch") || p.includes("timeout"))
         return !0;
     }
     return !1;
   }
-  function S(l) {
-    const w = [..._];
-    _.length = 0;
-    for (const { resolve: N } of w)
-      N(l);
+  function P(k) {
+    const p = [...S];
+    S.length = 0;
+    for (const { resolve: b } of p)
+      b(k);
   }
-  function E(l) {
-    const w = [..._];
-    _.length = 0;
-    for (const { reject: N } of w)
-      N(l);
+  function z(k) {
+    const p = [...S];
+    S.length = 0;
+    for (const { reject: b } of p)
+      b(k);
   }
-  function h(l) {
-    return new Promise((w) => setTimeout(w, l));
+  function $(k) {
+    return new Promise((p) => setTimeout(p, k));
   }
-  async function v(l) {
+  async function W(k) {
     try {
-      if (t.onTokenRefreshFailed && await Promise.resolve(t.onTokenRefreshFailed(l)), m && (await s(), await e(), I && typeof window < "u")) {
-        let w = !0;
-        if (t.onBeforeRedirect && (w = await Promise.resolve(t.onBeforeRedirect(l))), w) {
-          const N = new URL(k, window.location.origin);
-          N.searchParams.set("reason", "session_expired"), N.searchParams.set("redirect", window.location.pathname + window.location.search), window.location.href = N.toString();
+      if (n.onTokenRefreshFailed && await Promise.resolve(n.onTokenRefreshFailed(k)), l && (await t(), await r(), w && typeof window < "u")) {
+        let p = !0;
+        if (n.onBeforeRedirect && (p = await Promise.resolve(n.onBeforeRedirect(k))), p) {
+          const b = new URL(f, window.location.origin);
+          b.searchParams.set("reason", "session_expired"), b.searchParams.set("redirect", window.location.pathname + window.location.search), window.location.href = b.toString();
         }
       }
-    } catch (w) {
-      process.env.NODE_ENV === "development" && console.error("[TokenRefreshManager] Error in handleRefreshFailure:", w);
+    } catch (p) {
+      process.env.NODE_ENV === "development" && console.error("[TokenRefreshManager] Error in handleRefreshFailure:", p);
     }
   }
   return {
@@ -601,9 +818,9 @@ function he(r, e, s, t = {}) {
      * Refresh token with single refresh queue
      */
     async refreshToken() {
-      return o ? g || (A = !0, g = p().then((l) => (A = !1, g = null, l)).catch((l) => {
-        throw A = !1, g = null, E(l), v(l).catch(() => {
-        }), l;
+      return s ? g || (A = !0, g = R().then((k) => (A = !1, g = null, k)).catch((k) => {
+        throw A = !1, g = null, z(k), W(k).catch(() => {
+        }), k;
       }), g) : null;
     },
     /**
@@ -616,38 +833,38 @@ function he(r, e, s, t = {}) {
      * Wait for current refresh to complete
      */
     async waitForRefresh() {
-      return g ? new Promise((l, w) => {
-        _.push({ resolve: l, reject: w });
+      return g ? new Promise((k, p) => {
+        S.push({ resolve: k, reject: p });
       }) : null;
     },
     /**
      * Clear state
      */
     clear() {
-      g = null, A = !1, b.length = 0, u(), E(new Error("Token refresh manager cleared"));
+      g = null, A = !1, v.length = 0, d(), z(new Error("Token refresh manager cleared"));
     },
     /**
      * Handle token refresh failure
      */
-    async handleRefreshFailure(l) {
-      return v(l);
+    async handleRefreshFailure(k) {
+      return W(k);
     }
   };
 }
-function we() {
-  const r = process.env.NODE_ENV === "production";
+function Ke() {
+  const e = process.env.NODE_ENV === "production";
   return {
     cookieName: "__mulguard_session",
     expiresIn: 60 * 60 * 24 * 7,
     // 7 days
     httpOnly: !0,
-    secure: r,
+    secure: e,
     // HTTPS only in production
     sameSite: "lax",
     path: "/"
   };
 }
-function me() {
+function Xe() {
   return {
     enabled: !0,
     refreshThreshold: 300,
@@ -662,394 +879,568 @@ function me() {
     autoRedirectOnFailure: !0
   };
 }
-function Me(r) {
-  var D, V;
-  const e = {
-    ...we(),
-    ...r.session
-  }, s = r.actions, t = r.callbacks || {}, o = ((D = r.providers) == null ? void 0 : D.oauth) || {}, d = process.env.NEXT_PUBLIC_URL || (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : "http://localhost:3000"), c = {
-    ...me(),
-    ...r.tokenRefresh
-  }, a = { ...s };
-  if (Object.keys(o).length > 0 && !a.signIn.oauth && (a.signIn.oauth = async (n) => {
-    const i = o[n];
+function Je() {
+  return process.env.NEXT_PUBLIC_URL ?? (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : "http://localhost:3000");
+}
+function Ye(e) {
+  const { sessionConfig: r, cacheTtl: t, getSessionAction: n, onSessionExpired: s, onError: i } = e, o = r.cookieName ?? "__mulguard_session";
+  let a = null;
+  const l = async () => {
+    const y = Date.now();
+    if (a && y - a.timestamp < t)
+      return a.session;
+    if (n)
+      try {
+        const h = await n();
+        if (h && N(h))
+          return a = { session: h, timestamp: y }, h;
+        h && !N(h) && (await w(), a = null);
+      } catch (h) {
+        I.debug("getSession error", { error: h }), i && await i(h instanceof Error ? h : new Error(String(h)), "getSession"), a = null;
+      }
+    try {
+      const h = await ce(o);
+      if (h)
+        try {
+          const T = JSON.parse(h);
+          if (N(T))
+            return T.expiresAt && new Date(T.expiresAt) < /* @__PURE__ */ new Date() ? (s && await s(T), await w(), a = null, null) : (a = { session: T, timestamp: y }, T);
+          await w(), a = null;
+        } catch {
+          await w(), a = null;
+        }
+    } catch (h) {
+      const T = h instanceof Error ? h.message : String(h);
+      !T.includes("request scope") && !T.includes("cookies") && (I.warn("getSession cookie error", { error: h }), i && await i(
+        h instanceof Error ? h : new Error(String(h)),
+        "getSession.cookie"
+      ));
+    }
+    return null;
+  }, f = async (y) => {
+    if (!N(y))
+      return {
+        success: !1,
+        error: "Invalid session structure"
+      };
+    try {
+      const h = typeof y == "object" && "token" in y ? String(y.token) : JSON.stringify(y), T = oe(o, h, r), _ = await ae(T);
+      return _.success && (a = { session: y, timestamp: Date.now() }), _;
+    } catch (h) {
+      const T = h instanceof Error ? h.message : "Failed to set session";
+      return I.error("setSession error", { error: h }), i && await i(h instanceof Error ? h : new Error(String(h)), "setSession"), {
+        success: !1,
+        error: T
+      };
+    }
+  }, w = async () => {
+    try {
+      await ie(o, {
+        path: r.path,
+        domain: r.domain
+      }), a = null;
+    } catch (y) {
+      I.warn("clearSessionCookie error", { error: y });
+    }
+  }, g = async () => {
+    const y = await l();
+    return y != null && y.accessToken && typeof y.accessToken == "string" ? y.accessToken : null;
+  };
+  return {
+    getSession: l,
+    setSession: f,
+    clearSessionCookie: w,
+    getAccessToken: g,
+    getRefreshToken: async () => {
+      const y = await l();
+      return y != null && y.refreshToken && typeof y.refreshToken == "string" ? y.refreshToken : null;
+    },
+    hasValidTokens: async () => !!await g(),
+    clearCache: () => {
+      a = null;
+    },
+    getSessionConfig: () => ({ cookieName: o, config: r })
+  };
+}
+function Qe(e) {
+  return async (r) => {
+    try {
+      if (!r || typeof r != "object")
+        return {
+          success: !1,
+          error: "Invalid credentials",
+          errorCode: m.VALIDATION_ERROR
+        };
+      if (!r.email || typeof r.email != "string")
+        return {
+          success: !1,
+          error: "Email is required",
+          errorCode: m.VALIDATION_ERROR
+        };
+      const t = G(r.email);
+      if (!K(t))
+        return {
+          success: !1,
+          error: t.error ?? "Invalid email format",
+          errorCode: m.VALIDATION_ERROR
+        };
+      if (!r.password || typeof r.password != "string")
+        return {
+          success: !1,
+          error: "Password is required",
+          errorCode: m.VALIDATION_ERROR
+        };
+      if (r.password.length > 128)
+        return {
+          success: !1,
+          error: "Invalid credentials",
+          errorCode: m.VALIDATION_ERROR
+        };
+      const n = {
+        email: t.sanitized,
+        password: r.password
+        // Don't sanitize password (needed for hashing)
+      }, s = await e.actions.signIn.email(n);
+      if (D(s)) {
+        const i = await e.saveSessionAfterAuth(s);
+        !i.success && i.warning && I.warn("Session save warning", { warning: i.warning });
+      }
+      return s.success ? I.info("Sign in successful", {
+        email: n.email.substring(0, 3) + "***"
+      }) : I.warn("Sign in failed", {
+        email: n.email.substring(0, 3) + "***",
+        errorCode: s.errorCode
+      }), s;
+    } catch (t) {
+      const n = t instanceof Error ? t.message : "Sign in failed";
+      return I.error("Sign in error", { error: n, context: "signIn.email" }), e.onError && await e.onError(
+        t instanceof Error ? t : new Error(String(t)),
+        "signIn.email"
+      ), {
+        success: !1,
+        error: "Sign in failed. Please try again.",
+        errorCode: m.UNKNOWN_ERROR
+      };
+    }
+  };
+}
+function Ze(e, r) {
+  return async (t) => {
+    if (!t || typeof t != "string")
+      throw new Error("Provider is required");
+    const n = X(t, {
+      maxLength: 50,
+      allowHtml: !1,
+      required: !0
+    });
+    if (!n.valid || !n.sanitized)
+      throw new Error("Invalid provider");
+    const s = n.sanitized.toLowerCase();
+    if (!e.actions.signIn.oauth)
+      throw new Error(
+        "OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config."
+      );
+    const i = await e.actions.signIn.oauth(s);
+    return await r(i.state, s), I.info("OAuth sign in initiated", { provider: s }), i;
+  };
+}
+function er(e) {
+  return async (r, t) => {
+    if (!r || typeof r != "string")
+      return {
+        success: !1,
+        error: "Email is required",
+        errorCode: m.VALIDATION_ERROR
+      };
+    const n = G(r);
+    if (!K(n))
+      return {
+        success: !1,
+        error: n.error ?? "Invalid email format",
+        errorCode: m.VALIDATION_ERROR
+      };
+    if (t !== void 0 && (typeof t != "string" || t.length < 4 || t.length > 10))
+      return {
+        success: !1,
+        error: "Invalid OTP code format",
+        errorCode: m.VALIDATION_ERROR
+      };
+    if (!e.actions.signIn.otp)
+      return {
+        success: !1,
+        error: "OTP sign in is not configured",
+        errorCode: m.VALIDATION_ERROR
+      };
+    try {
+      const s = await e.actions.signIn.otp(n.sanitized, t);
+      if (D(s)) {
+        const i = await e.saveSessionAfterAuth(s);
+        !i.success && i.warning && I.warn("Session save warning", { warning: i.warning });
+      }
+      return s.success ? I.info("OTP sign in successful", {
+        email: n.sanitized.substring(0, 3) + "***"
+      }) : I.warn("OTP sign in failed", {
+        email: n.sanitized.substring(0, 3) + "***"
+      }), s;
+    } catch (s) {
+      return I.error("OTP sign in error", {
+        error: s instanceof Error ? s.message : "Unknown error",
+        context: "signIn.otp"
+      }), e.onError && await e.onError(
+        s instanceof Error ? s : new Error(String(s)),
+        "signIn.otp"
+      ), {
+        success: !1,
+        error: "OTP sign in failed. Please try again.",
+        errorCode: m.UNKNOWN_ERROR
+      };
+    }
+  };
+}
+function rr(e) {
+  return async (r) => {
+    if (!e.actions.signIn.passkey)
+      throw new Error("PassKey sign in is not configured. Provide passkey action in signIn.");
+    try {
+      const t = await e.actions.signIn.passkey(r);
+      if (D(t)) {
+        const n = await e.saveSessionAfterAuth(t);
+        !n.success && n.warning && I.warn("Session save warning", { warning: n.warning });
+      }
+      return t;
+    } catch (t) {
+      return e.onError && await e.onError(
+        t instanceof Error ? t : new Error(String(t)),
+        "signIn.passkey"
+      ), {
+        success: !1,
+        error: t instanceof Error ? t.message : "PassKey sign in failed"
+      };
+    }
+  };
+}
+function tr(e, r) {
+  const t = Qe(e), n = Ze(e, r), s = er(e), i = rr(e);
+  return Object.assign(async (l, f) => {
+    if (!l || typeof l != "string")
+      throw new Error("Provider is required");
+    const w = X(l, {
+      maxLength: 50,
+      allowHtml: !1,
+      required: !0
+    });
+    if (!w.valid || !w.sanitized)
+      throw new Error("Invalid provider");
+    const g = w.sanitized.toLowerCase();
+    if (g === "google" || g === "github" || g === "apple" || g === "facebook" || typeof g == "string" && !["credentials", "otp", "passkey"].includes(g))
+      return n(g);
+    if (g === "credentials")
+      return !f || !("email" in f) || !("password" in f) ? {
+        success: !1,
+        error: "Credentials are required",
+        errorCode: m.VALIDATION_ERROR
+      } : t(f);
+    if (g === "otp") {
+      if (!f || !("email" in f))
+        return {
+          success: !1,
+          error: "Email is required",
+          errorCode: m.VALIDATION_ERROR
+        };
+      const A = f;
+      return s(A.email, A.code);
+    }
+    return g === "passkey" ? i(f) : {
+      success: !1,
+      error: "Invalid provider",
+      errorCode: m.VALIDATION_ERROR
+    };
+  }, {
+    email: t,
+    oauth: e.actions.signIn.oauth ? n : void 0,
+    passkey: e.actions.signIn.passkey ? i : void 0,
+    otp: e.actions.signIn.otp ? s : void 0
+  });
+}
+function nr(e) {
+  return async (r) => {
+    if (!e.actions.signUp)
+      throw new Error("Sign up is not configured. Provide signUp action in config.");
+    try {
+      const t = await e.actions.signUp(r);
+      if (D(t)) {
+        const n = await e.saveSessionAfterAuth(t);
+        !n.success && n.warning && I.warn("Session save warning", { warning: n.warning });
+      }
+      return t;
+    } catch (t) {
+      return e.onError && await e.onError(
+        t instanceof Error ? t : new Error(String(t)),
+        "signUp"
+      ), {
+        success: !1,
+        error: t instanceof Error ? t.message : "Sign up failed"
+      };
+    }
+  };
+}
+function sr(e, r) {
+  return async (t, n, s) => {
+    const i = e.oauthProviders[t];
     if (!i)
-      throw new Error(`OAuth provider "${n}" is not configured. Add it to providers.oauth in config.`);
-    if (!i.clientId)
-      throw new Error(`OAuth provider "${n}" is missing clientId`);
-    const u = ne();
-    return { url: ce(n, i, d, u), state: u };
-  }), Object.keys(o).length > 0 && !a.oauthCallback && (a.oauthCallback = async (n, i, u) => {
-    const p = o[n];
-    if (!p)
       return {
         success: !1,
-        error: `OAuth provider "${n}" is not configured`,
-        errorCode: y.VALIDATION_ERROR
+        error: `OAuth provider "${t}" is not configured`,
+        errorCode: m.VALIDATION_ERROR
       };
     try {
-      const R = p.redirectUri || `${d}/api/auth/callback/${n}`, S = await le(n, p, i, R), E = await ue(n, S.access_token), h = {
-        id: E.id,
-        email: E.email,
-        name: E.name,
-        avatar: E.avatar,
-        emailVerified: E.emailVerified,
-        // ✅ NEW: Add provider information
-        provider: n,
-        // ✅ NEW: Add access token (required for backend API integration)
-        accessToken: S.access_token,
-        // ✅ NEW: Add refresh token (optional, for token refresh)
-        refreshToken: S.refresh_token,
-        // ✅ NEW: Add complete tokens object
+      const o = i.redirectUri ?? `${e.baseUrl}/api/auth/callback/${t}`, a = await Ue(t, i, n, o), l = await Fe(t, a.access_token), f = {
+        id: l.id,
+        email: l.email,
+        name: l.name,
+        avatar: l.avatar,
+        emailVerified: l.emailVerified,
+        provider: t,
+        accessToken: a.access_token,
+        refreshToken: a.refresh_token,
         tokens: {
-          access_token: S.access_token,
-          refresh_token: S.refresh_token,
-          expires_in: S.expires_in,
-          token_type: S.token_type,
-          id_token: S.id_token
+          access_token: a.access_token,
+          refresh_token: a.refresh_token,
+          expires_in: a.expires_in,
+          token_type: a.token_type,
+          id_token: a.id_token
         },
-        // ✅ NEW: Add raw profile data (for advanced use cases)
-        rawProfile: E.rawProfile
+        rawProfile: l.rawProfile
       };
-      if (t.onOAuthUser) {
-        const v = await g(t.onOAuthUser, h, n);
-        if (!v)
+      if (e.callbacks.onOAuthUser) {
+        const w = await q(
+          e.callbacks.onOAuthUser,
+          [f, t],
+          e.onError
+        );
+        if (!w)
           return {
             success: !1,
             error: "Failed to create or retrieve user",
-            errorCode: y.VALIDATION_ERROR
+            errorCode: m.VALIDATION_ERROR
           };
-        const l = {
-          user: {
-            id: v.id,
-            email: v.email,
-            name: v.name,
-            avatar: h.avatar,
-            emailVerified: h.emailVerified
-          },
-          expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3),
-          accessToken: S.access_token,
-          refreshToken: S.refresh_token,
-          tokenType: "Bearer",
-          expiresIn: S.expires_in
-        };
-        return await b(l), m = { session: l, timestamp: Date.now() }, t.onSignIn && await g(t.onSignIn, l.user, l), { success: !0, user: l.user, session: l };
+        const g = e.createSession(w, f, a);
+        return await e.saveSession(g), e.callbacks.onSignIn && await q(
+          e.callbacks.onSignIn,
+          [g.user, g],
+          e.onError
+        ), { success: !0, user: g.user, session: g };
       }
       return {
         success: !1,
         error: "OAuth user callback not implemented. Provide onOAuthUser callback or implement oauthCallback action.",
-        errorCode: y.VALIDATION_ERROR
+        errorCode: m.VALIDATION_ERROR
       };
-    } catch (R) {
-      return P.error("OAuth callback failed", { provider: n, error: R }), {
+    } catch (o) {
+      return I.error("OAuth callback failed", { provider: t, error: o }), {
         success: !1,
-        error: R instanceof Error ? R.message : "OAuth callback failed",
-        errorCode: y.NETWORK_ERROR
+        error: o instanceof Error ? o.message : "OAuth callback failed",
+        errorCode: m.NETWORK_ERROR
       };
     }
-  }), !a.signIn || !a.signIn.email)
-    throw new Error("mulguard: signIn.email action is required");
-  let m = null;
-  const k = ((V = r.session) == null ? void 0 : V.cacheTtl) ?? r.sessionCacheTtl ?? 5e3, I = r.oauthStateStore || de(), g = async (n, ...i) => {
-    if (n)
-      try {
-        return await n(...i);
-      } catch (u) {
-        throw t.onError && await t.onError(u instanceof Error ? u : new Error(String(u)), "callback"), u;
-      }
-  }, A = async (n, i) => {
-    const u = {
-      provider: i,
+  };
+}
+async function q(e, r, t) {
+  if (e)
+    try {
+      return await e(...r);
+    } catch (n) {
+      throw t && await t(
+        n instanceof Error ? n : new Error(String(n)),
+        "callback"
+      ), n;
+    }
+}
+function ir(e, r, t, n) {
+  if (Object.keys(e).length !== 0)
+    return async (s) => {
+      const i = e[s];
+      if (!i)
+        throw new Error(`OAuth provider "${s}" is not configured. Add it to providers.oauth in config.`);
+      if (!i.clientId)
+        throw new Error(`OAuth provider "${s}" is missing clientId`);
+      const o = t();
+      return { url: n(s, i, r, o), state: o };
+    };
+}
+function et(e) {
+  var L, M;
+  const r = {
+    ...Ke(),
+    ...e.session
+  }, t = e.actions, n = e.callbacks || {}, s = ((L = e.providers) == null ? void 0 : L.oauth) || {}, i = Je(), o = {
+    ...Xe(),
+    ...e.tokenRefresh
+  }, a = ((M = e.session) == null ? void 0 : M.cacheTtl) ?? e.sessionCacheTtl ?? 5e3, l = e.oauthStateStore || $e(), f = { ...t }, w = async (c, u) => {
+    const d = {
+      provider: u,
       expiresAt: Date.now() + 6e5
       // 10 minutes
     };
-    await Promise.resolve(I.set(n, u, 10 * 60 * 1e3)), I.cleanup && await Promise.resolve(I.cleanup());
-  }, _ = async (n, i) => {
-    const u = await Promise.resolve(I.get(n));
-    return u ? u.expiresAt < Date.now() ? (await Promise.resolve(I.delete(n)), !1) : u.provider !== i ? !1 : (await Promise.resolve(I.delete(n)), !0) : !1;
-  }, b = async (n) => {
-    const i = e.cookieName || "__mulguard_session", u = typeof n == "object" && "token" in n ? String(n.token) : JSON.stringify(n), p = X(i, u, e);
-    return await Y(p);
-  }, U = async (n) => {
-    if (!n.success || !n.session)
+    await Promise.resolve(l.set(c, d, 10 * 60 * 1e3)), l.cleanup && await Promise.resolve(l.cleanup());
+  }, g = async (c, u) => {
+    const d = await Promise.resolve(l.get(c));
+    return d ? d.expiresAt < Date.now() ? (await Promise.resolve(l.delete(c)), !1) : d.provider !== u ? !1 : (await Promise.resolve(l.delete(c)), !0) : !1;
+  }, A = ir(
+    s,
+    i,
+    _e,
+    be
+  );
+  if (A && !f.signIn.oauth) {
+    const c = f.signIn;
+    f.signIn = {
+      ...c,
+      oauth: async (u) => {
+        const d = await A(u);
+        return await w(d.state, u), d;
+      }
+    };
+  }
+  if (!f.signIn || !f.signIn.email)
+    throw new Error("mulguard: signIn.email action is required");
+  const S = async (c, ...u) => {
+    if (c)
+      try {
+        return await c(...u);
+      } catch (d) {
+        throw n.onError && await n.onError(d instanceof Error ? d : new Error(String(d)), "callback"), d;
+      }
+  }, v = Ye({
+    sessionConfig: r,
+    cacheTtl: a,
+    getSessionAction: t.getSession,
+    onSessionExpired: n.onSessionExpired,
+    onError: n.onError
+  }), y = async (c) => {
+    if (!D(c) || !c.session)
       return { success: !0 };
-    const i = await b(n.session);
-    return m = { session: n.session, timestamp: Date.now() }, n.user && t.onSignIn && await g(t.onSignIn, n.user, n.session), i;
-  }, T = async () => {
-    const n = e.cookieName || "__mulguard_session";
-    await J(n, {
-      path: e.path,
-      domain: e.domain
-    });
+    const u = await v.setSession(c.session);
+    return c.user && n.onSignIn && await S(n.onSignIn, c.user, c.session), u;
   };
-  let O = null;
-  const C = {
+  if (Object.keys(s).length > 0 && !f.oauthCallback) {
+    const c = sr(
+      {
+        oauthProviders: s,
+        baseUrl: i,
+        callbacks: n,
+        createSession: (u, d, R) => ({
+          user: {
+            ...u,
+            avatar: d.avatar,
+            emailVerified: d.emailVerified
+          },
+          expiresAt: new Date(Date.now() + (r.expiresIn || 604800) * 1e3),
+          accessToken: R.access_token,
+          refreshToken: R.refresh_token,
+          tokenType: "Bearer",
+          expiresIn: R.expires_in
+        }),
+        saveSession: async (u) => {
+          await v.setSession(u);
+        },
+        onError: n.onError
+      }
+    );
+    f.oauthCallback = c;
+  }
+  const h = tr(
+    {
+      actions: f,
+      callbacks: n,
+      saveSessionAfterAuth: y,
+      onError: n.onError
+    },
+    w
+  ), T = nr({
+    actions: f,
+    callbacks: n,
+    saveSessionAfterAuth: y,
+    onError: n.onError
+  }), _ = {
     /**
      * Get current session
      * Uses custom getSession action if provided, otherwise falls back to reading from cookie
-     * ✅ IMPROVEMENT: Added session caching for better performance
      */
     async getSession() {
-      const n = Date.now();
-      if (m && n - m.timestamp < k)
-        return m.session;
-      if (s.getSession)
-        try {
-          const i = await s.getSession();
-          if (i && x(i))
-            return m = { session: i, timestamp: n }, i;
-          i && !x(i) && (await T(), m = null);
-        } catch (i) {
-          P.debug("getSession error", { error: i }), t.onError && await g(t.onError, i instanceof Error ? i : new Error(String(i)), "getSession"), m = null;
-        }
-      try {
-        const i = e.cookieName || "__mulguard_session", u = await G(i);
-        if (u)
-          try {
-            const p = JSON.parse(u);
-            if (x(p))
-              return p.expiresAt && new Date(p.expiresAt) < /* @__PURE__ */ new Date() ? (t.onSessionExpired && await g(t.onSessionExpired, p), await T(), m = null, null) : (m = { session: p, timestamp: n }, p);
-            await T(), m = null;
-          } catch {
-            await T(), m = null;
-          }
-      } catch (i) {
-        const u = i instanceof Error ? i.message : String(i);
-        !u.includes("request scope") && !u.includes("cookies") && (P.warn("getSession cookie error", { error: i }), t.onError && await g(t.onError, i instanceof Error ? i : new Error(String(i)), "getSession.cookie"));
-      }
-      return null;
+      return await v.getSession();
     },
     /**
      * Get access token from current session
      */
     async getAccessToken() {
-      const n = await this.getSession();
-      return n != null && n.accessToken && typeof n.accessToken == "string" ? n.accessToken : null;
+      return await v.getAccessToken();
     },
     /**
      * Get refresh token from current session
      */
     async getRefreshToken() {
-      const n = await this.getSession();
-      return n != null && n.refreshToken && typeof n.refreshToken == "string" ? n.refreshToken : null;
+      return await v.getRefreshToken();
     },
     /**
      * Check if session has valid tokens
      */
     async hasValidTokens() {
-      return !!await this.getAccessToken();
+      return await v.hasValidTokens();
     },
     /**
      * Unified sign in method - supports both unified and direct method calls
-     * ✅ IMPROVEMENT: Single unified logic for all sign-in methods
      */
-    signIn: (() => {
-      const n = async (E) => {
-        try {
-          if (!E || typeof E != "object")
-            return {
-              success: !1,
-              error: "Invalid credentials",
-              errorCode: y.VALIDATION_ERROR
-            };
-          if (!E.email || typeof E.email != "string")
-            return {
-              success: !1,
-              error: "Email is required",
-              errorCode: y.VALIDATION_ERROR
-            };
-          const h = M(E.email);
-          if (!h.valid)
-            return {
-              success: !1,
-              error: h.error || "Invalid email format",
-              errorCode: y.VALIDATION_ERROR
-            };
-          if (!E.password || typeof E.password != "string")
-            return {
-              success: !1,
-              error: "Password is required",
-              errorCode: y.VALIDATION_ERROR
-            };
-          if (E.password.length > 128)
-            return {
-              success: !1,
-              error: "Invalid credentials",
-              errorCode: y.VALIDATION_ERROR
-            };
-          const v = {
-            email: h.sanitized,
-            password: E.password
-            // Don't sanitize password (needed for hashing)
-          }, l = await a.signIn.email(v);
-          return l.success && l.session && await U(l), l.success ? P.info("Sign in successful", { email: v.email.substring(0, 3) + "***" }) : P.warn("Sign in failed", { email: v.email.substring(0, 3) + "***", errorCode: l.errorCode }), l;
-        } catch (h) {
-          const v = h instanceof Error ? h.message : "Sign in failed";
-          return P.error("Sign in error", { error: v, context: "signIn.email" }), t.onError && await g(t.onError, h instanceof Error ? h : new Error(String(h)), "signIn.email"), {
-            success: !1,
-            error: "Sign in failed. Please try again.",
-            errorCode: y.UNKNOWN_ERROR
-          };
-        }
-      }, i = async (E) => {
-        if (!E || typeof E != "string")
-          throw new Error("Provider is required");
-        const h = z(E, { maxLength: 50, allowHtml: !1, required: !0 });
-        if (!h.valid || !h.sanitized)
-          throw new Error("Invalid provider");
-        const v = h.sanitized.toLowerCase();
-        if (!a.signIn.oauth)
-          throw new Error(
-            "OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config."
-          );
-        const l = await a.signIn.oauth(v);
-        return await A(l.state, v), P.info("OAuth sign in initiated", { provider: v }), l;
-      }, u = async (E) => {
-        if (!a.signIn.passkey)
-          throw new Error("PassKey sign in is not configured. Provide passkey action in signIn.");
-        try {
-          const h = await a.signIn.passkey(E);
-          return h.success && h.session && await U(h), h;
-        } catch (h) {
-          return t.onError && await g(t.onError, h instanceof Error ? h : new Error(String(h)), "signIn.passkey"), {
-            success: !1,
-            error: h instanceof Error ? h.message : "PassKey sign in failed"
-          };
-        }
-      }, p = async (E, h) => {
-        if (!E || typeof E != "string")
-          return {
-            success: !1,
-            error: "Email is required",
-            errorCode: y.VALIDATION_ERROR
-          };
-        const v = M(E);
-        if (!v.valid)
-          return {
-            success: !1,
-            error: v.error || "Invalid email format",
-            errorCode: y.VALIDATION_ERROR
-          };
-        if (h !== void 0 && (typeof h != "string" || h.length < 4 || h.length > 10))
-          return {
-            success: !1,
-            error: "Invalid OTP code format",
-            errorCode: y.VALIDATION_ERROR
-          };
-        if (!a.signIn.otp)
-          return {
-            success: !1,
-            error: "OTP sign in is not configured",
-            errorCode: y.VALIDATION_ERROR
-          };
-        try {
-          const l = await a.signIn.otp(v.sanitized, h);
-          return l.success && l.session && await U(l), l.success ? P.info("OTP sign in successful", { email: v.sanitized.substring(0, 3) + "***" }) : P.warn("OTP sign in failed", { email: v.sanitized.substring(0, 3) + "***" }), l;
-        } catch (l) {
-          return P.error("OTP sign in error", { error: l instanceof Error ? l.message : "Unknown error", context: "signIn.otp" }), t.onError && await g(t.onError, l instanceof Error ? l : new Error(String(l)), "signIn.otp"), {
-            success: !1,
-            error: "OTP sign in failed. Please try again.",
-            errorCode: y.UNKNOWN_ERROR
-          };
-        }
-      }, S = Object.assign(
-        async (E, h) => {
-          if (!E || typeof E != "string")
-            throw new Error("Provider is required");
-          const v = z(E, { maxLength: 50, allowHtml: !1, required: !0 });
-          if (!v.valid || !v.sanitized)
-            throw new Error("Invalid provider");
-          const l = v.sanitized.toLowerCase();
-          if (l === "google" || l === "github" || l === "apple" || l === "facebook" || typeof l == "string" && !["credentials", "otp", "passkey"].includes(l))
-            return i(l);
-          if (l === "credentials")
-            return !h || !("email" in h) || !("password" in h) ? {
-              success: !1,
-              error: "Credentials are required",
-              errorCode: y.VALIDATION_ERROR
-            } : n(h);
-          if (l === "otp") {
-            if (!h || !("email" in h))
-              return {
-                success: !1,
-                error: "Email is required",
-                errorCode: y.VALIDATION_ERROR
-              };
-            const w = h;
-            return p(w.email, w.code);
-          }
-          return l === "passkey" ? u(h) : {
-            success: !1,
-            error: "Invalid provider",
-            errorCode: y.VALIDATION_ERROR
-          };
-        },
-        {
-          email: n,
-          oauth: a.signIn.oauth ? i : void 0,
-          passkey: a.signIn.passkey ? u : void 0,
-          otp: a.signIn.otp ? p : void 0
-        }
-      );
-      return O = S, S;
-    })(),
+    signIn: h,
     /**
      * Sign up new user
      */
-    async signUp(n) {
-      if (!a.signUp)
+    async signUp(c) {
+      if (!T)
         throw new Error("Sign up is not configured. Provide signUp action in config.");
-      try {
-        const i = await a.signUp(n);
-        return i.success && i.session && await U(i), i;
-      } catch (i) {
-        return t.onError && await g(t.onError, i instanceof Error ? i : new Error(String(i)), "signUp"), {
-          success: !1,
-          error: i instanceof Error ? i.message : "Sign up failed"
-        };
-      }
+      return await T(c);
     },
     /**
      * Sign out
      */
     async signOut() {
       try {
-        const n = await this.getSession(), i = n == null ? void 0 : n.user;
-        return s.signOut && await s.signOut(), await T(), m = null, i && t.onSignOut && await g(t.onSignOut, i), { success: !0 };
-      } catch (n) {
-        return await T(), t.onError && await g(t.onError, n instanceof Error ? n : new Error(String(n)), "signOut"), {
+        const c = await this.getSession(), u = c == null ? void 0 : c.user;
+        return t.signOut && await t.signOut(), await v.clearSessionCookie(), v.clearCache(), u && n.onSignOut && await S(n.onSignOut, u), { success: !0 };
+      } catch (c) {
+        return await v.clearSessionCookie(), v.clearCache(), n.onError && await S(n.onError, c instanceof Error ? c : new Error(String(c)), "signOut"), {
           success: !1,
-          error: n instanceof Error ? n.message : "Sign out failed"
+          error: c instanceof Error ? c.message : "Sign out failed"
         };
       }
     },
     /**
      * Request password reset
      */
-    async resetPassword(n) {
-      if (!s.resetPassword)
+    async resetPassword(c) {
+      if (!t.resetPassword)
         throw new Error("Password reset is not configured. Provide resetPassword action in config.");
       try {
-        return await s.resetPassword(n);
-      } catch (i) {
-        return t.onError && await g(t.onError, i instanceof Error ? i : new Error(String(i)), "resetPassword"), {
+        return await t.resetPassword(c);
+      } catch (u) {
+        return n.onError && await S(n.onError, u instanceof Error ? u : new Error(String(u)), "resetPassword"), {
           success: !1,
-          error: i instanceof Error ? i.message : "Password reset failed"
+          error: u instanceof Error ? u.message : "Password reset failed"
         };
       }
     },
     /**
      * Verify email address
      */
-    async verifyEmail(n) {
-      if (!s.verifyEmail)
+    async verifyEmail(c) {
+      if (!t.verifyEmail)
         throw new Error("Email verification is not configured. Provide verifyEmail action in config.");
       try {
-        return await s.verifyEmail(n);
-      } catch (i) {
-        return t.onError && await g(t.onError, i instanceof Error ? i : new Error(String(i)), "verifyEmail"), {
+        return await t.verifyEmail(c);
+      } catch (u) {
+        return n.onError && await S(n.onError, u instanceof Error ? u : new Error(String(u)), "verifyEmail"), {
           success: !1,
-          error: i instanceof Error ? i.message : "Email verification failed"
+          error: u instanceof Error ? u.message : "Email verification failed"
         };
       }
     },
@@ -1058,73 +1449,73 @@ function Me(r) {
      * Executes custom refreshSession action with improved error handling and callbacks
      */
     async refreshSession() {
-      if (!s.refreshSession)
+      if (!t.refreshSession)
         return this.getSession();
       try {
-        const n = await s.refreshSession();
-        if (n && x(n)) {
-          if (await b(n), m = { session: n, timestamp: Date.now() }, t.onSessionUpdate) {
-            const i = await g(t.onSessionUpdate, n);
-            if (i && x(i)) {
-              if (await b(i), t.onTokenRefresh) {
-                const u = await this.getSession();
-                u && await g(t.onTokenRefresh, u, i);
+        const c = await t.refreshSession();
+        if (c && N(c)) {
+          if (await v.setSession(c), n.onSessionUpdate) {
+            const u = await S(n.onSessionUpdate, c);
+            if (u && N(u)) {
+              if (await v.setSession(u), n.onTokenRefresh) {
+                const d = await this.getSession();
+                d && await S(n.onTokenRefresh, d, u);
               }
-              return i;
+              return u;
             }
           }
-          if (t.onTokenRefresh) {
-            const i = await this.getSession();
-            i && await g(t.onTokenRefresh, i, n);
+          if (n.onTokenRefresh) {
+            const u = await this.getSession();
+            u && await S(n.onTokenRefresh, u, c);
           }
-          return n;
-        } else if (n && !x(n))
-          return await T(), null;
+          return c;
+        } else if (c && !N(c))
+          return await v.clearSessionCookie(), v.clearCache(), null;
         return null;
-      } catch (n) {
-        return await T(), t.onError && await g(t.onError, n instanceof Error ? n : new Error(String(n)), "refreshSession"), null;
+      } catch (c) {
+        return await v.clearSessionCookie(), v.clearCache(), n.onError && await S(n.onError, c instanceof Error ? c : new Error(String(c)), "refreshSession"), null;
       }
     },
     /**
      * OAuth callback handler
      * ✅ Auto-generated if providers.oauth is configured in config
      */
-    async oauthCallback(n, i, u) {
-      if (!a.oauthCallback)
+    async oauthCallback(c, u, d) {
+      if (!f.oauthCallback)
         throw new Error(
           "OAuth callback is not configured. Either provide oauthCallback action, or configure providers.oauth in config."
         );
-      if (!n || !i || !u)
+      if (!u || !d)
         return {
           success: !1,
-          error: "Missing required OAuth parameters (provider, code, or state)",
-          errorCode: y.VALIDATION_ERROR
+          error: "Missing required OAuth parameters (code or state)",
+          errorCode: m.VALIDATION_ERROR
         };
-      if (!await _(u, n))
+      let R = c;
+      if (!R) {
+        const P = await Promise.resolve(l.get(d));
+        if (P && P.provider)
+          R = P.provider;
+        else
+          return {
+            success: !1,
+            error: "Provider is required and could not be extracted from state",
+            errorCode: m.VALIDATION_ERROR
+          };
+      }
+      if (!await g(d, R))
         return {
           success: !1,
           error: "Invalid or expired state parameter",
-          errorCode: y.VALIDATION_ERROR
+          errorCode: m.VALIDATION_ERROR
         };
       try {
-        const R = await a.oauthCallback(n, i, u);
-        if (R.success && R.session) {
-          const S = await U(R);
-          S.success || (process.env.NODE_ENV === "development" && P.debug("Failed to save session cookie after oauthCallback", {
-            error: S.error,
-            warning: S.warning
-          }), t.onError && await g(
-            t.onError,
-            new Error(S.warning || S.error || "Failed to save session cookie"),
-            "oauthCallback.setSession"
-          ));
-        }
-        return R;
-      } catch (R) {
-        return t.onError && await g(t.onError, R instanceof Error ? R : new Error(String(R)), "oauthCallback"), {
+        return await f.oauthCallback(R, u, d);
+      } catch (P) {
+        return n.onError && await S(n.onError, P instanceof Error ? P : new Error(String(P)), "oauthCallback"), {
           success: !1,
-          error: R instanceof Error ? R.message : "OAuth callback failed",
-          errorCode: y.NETWORK_ERROR
+          error: P instanceof Error ? P.message : "OAuth callback failed",
+          errorCode: m.NETWORK_ERROR
         };
       }
     },
@@ -1132,28 +1523,28 @@ function Me(r) {
      * Verify 2FA code after initial sign in
      * Used when signIn returns requires2FA: true
      */
-    async verify2FA(n, i) {
-      if (!s.verify2FA)
+    async verify2FA(c, u) {
+      if (!t.verify2FA)
         throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
       try {
-        const u = await s.verify2FA(n);
-        if (u.success && u.session && !(i != null && i.skipCookieSave)) {
-          const p = await U(u);
-          p.success || (process.env.NODE_ENV === "development" && P.debug("Failed to save session cookie after verify2FA", {
-            error: p.error,
-            warning: p.warning
-          }), t.onError && await g(
-            t.onError,
-            new Error(p.warning || p.error || "Failed to save session cookie"),
+        const d = await t.verify2FA(c);
+        if (d.success && d.session && !(u != null && u.skipCookieSave)) {
+          const R = await y(d);
+          R.success || (process.env.NODE_ENV === "development" && I.debug("Failed to save session cookie after verify2FA", {
+            error: R.error,
+            warning: R.warning
+          }), n.onError && await S(
+            n.onError,
+            new Error(R.warning || R.error || "Failed to save session cookie"),
             "verify2FA.setSession"
           ));
         }
-        return u;
-      } catch (u) {
-        return t.onError && await g(t.onError, u instanceof Error ? u : new Error(String(u)), "verify2FA"), {
+        return d;
+      } catch (d) {
+        return n.onError && await S(n.onError, d instanceof Error ? d : new Error(String(d)), "verify2FA"), {
           success: !1,
-          error: u instanceof Error ? u.message : "2FA verification failed",
-          errorCode: y.TWO_FA_REQUIRED
+          error: d instanceof Error ? d.message : "2FA verification failed",
+          errorCode: m.TWO_FA_REQUIRED
         };
       }
     },
@@ -1161,11 +1552,8 @@ function Me(r) {
      * Set session directly
      * Useful for Server Actions that need to save session manually
      */
-    async setSession(n) {
-      return x(n) ? await b(n) : {
-        success: !1,
-        error: "Invalid session structure"
-      };
+    async setSession(c) {
+      return await v.setSession(c);
     },
     /**
      * Internal method to get session config for Server Actions
@@ -1173,584 +1561,562 @@ function Me(r) {
      * @internal
      */
     _getSessionConfig() {
-      return {
-        cookieName: e.cookieName || "__mulguard_session",
-        config: e
-      };
+      return v.getSessionConfig();
     },
     _getCallbacks() {
-      return t;
+      return n;
     },
     /**
      * PassKey methods
      */
-    passkey: s.passkey ? {
-      register: s.passkey.register,
-      authenticate: async (n) => {
-        var i;
-        if (!((i = s.passkey) != null && i.authenticate))
+    passkey: t.passkey ? {
+      register: t.passkey.register,
+      authenticate: async (c) => {
+        var u;
+        if (!((u = t.passkey) != null && u.authenticate))
           throw new Error("PassKey authenticate is not configured.");
         try {
-          const u = await s.passkey.authenticate(n);
-          return u.success && u.session && await U(u), u;
-        } catch (u) {
-          return t.onError && await g(t.onError, u instanceof Error ? u : new Error(String(u)), "passkey.authenticate"), {
+          const d = await t.passkey.authenticate(c);
+          return d.success && d.session && await y(d), d;
+        } catch (d) {
+          return n.onError && await S(n.onError, d instanceof Error ? d : new Error(String(d)), "passkey.authenticate"), {
             success: !1,
-            error: u instanceof Error ? u.message : "PassKey authentication failed"
+            error: d instanceof Error ? d.message : "PassKey authentication failed"
           };
         }
       },
-      list: s.passkey.list,
-      remove: s.passkey.remove
+      list: t.passkey.list ? async () => {
+        var u;
+        if (!((u = t.passkey) != null && u.list))
+          throw new Error("PassKey list is not configured.");
+        return [...await t.passkey.list()];
+      } : void 0,
+      remove: t.passkey.remove
     } : void 0,
     /**
      * Two-Factor Authentication methods
      */
-    twoFactor: s.twoFactor ? {
-      enable: s.twoFactor.enable,
-      verify: s.twoFactor.verify,
-      disable: s.twoFactor.disable,
-      generateBackupCodes: s.twoFactor.generateBackupCodes,
-      isEnabled: s.twoFactor.isEnabled,
-      verify2FA: async (n) => {
-        var u;
-        const i = ((u = s.twoFactor) == null ? void 0 : u.verify2FA) || s.verify2FA;
-        if (!i)
+    twoFactor: t.twoFactor ? {
+      enable: t.twoFactor.enable,
+      verify: t.twoFactor.verify,
+      disable: t.twoFactor.disable,
+      generateBackupCodes: t.twoFactor.generateBackupCodes,
+      isEnabled: t.twoFactor.isEnabled,
+      verify2FA: async (c) => {
+        var d;
+        const u = ((d = t.twoFactor) == null ? void 0 : d.verify2FA) || t.verify2FA;
+        if (!u)
           throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
         try {
-          const p = await i(n);
-          if (p.success && p.session) {
-            const R = await U(p);
-            R.success || (process.env.NODE_ENV === "development" && P.debug("Failed to save session cookie after twoFactor.verify2FA", {
-              error: R.error,
-              warning: R.warning
-            }), t.onError && await g(
-              t.onError,
-              new Error(R.warning || R.error || "Failed to save session cookie"),
+          const R = await u(c);
+          if (R.success && R.session) {
+            const C = await y(R);
+            C.success || (process.env.NODE_ENV === "development" && I.debug("Failed to save session cookie after twoFactor.verify2FA", {
+              error: C.error,
+              warning: C.warning
+            }), n.onError && await S(
+              n.onError,
+              new Error(C.warning || C.error || "Failed to save session cookie"),
               "twoFactor.verify2FA.setSession"
             ));
           }
-          return p;
-        } catch (p) {
-          return t.onError && await g(t.onError, p instanceof Error ? p : new Error(String(p)), "twoFactor.verify2FA"), {
+          return R;
+        } catch (R) {
+          return n.onError && await S(n.onError, R instanceof Error ? R : new Error(String(R)), "twoFactor.verify2FA"), {
             success: !1,
-            error: p instanceof Error ? p.message : "2FA verification failed",
-            errorCode: y.UNKNOWN_ERROR
+            error: R instanceof Error ? R.message : "2FA verification failed",
+            errorCode: m.UNKNOWN_ERROR
           };
         }
       }
     } : void 0,
     /**
      * Sign in methods - alias for signIn (for backward compatibility)
-     * ✅ IMPROVEMENT: Uses unified signIn logic
      */
     signInMethods: {
-      email: (n) => O.email(n),
-      oauth: (n) => {
-        var i;
-        return ((i = O.oauth) == null ? void 0 : i.call(O, n)) || Promise.reject(new Error("OAuth not configured"));
-      },
-      passkey: (n) => {
-        var i;
-        return ((i = O.passkey) == null ? void 0 : i.call(O, n)) || Promise.reject(new Error("Passkey not configured"));
+      email: (c) => h.email(c),
+      oauth: (c) => {
+        var u;
+        return ((u = h.oauth) == null ? void 0 : u.call(h, c)) || Promise.reject(new Error("OAuth not configured"));
       },
-      otp: (n, i) => {
+      passkey: (c) => {
         var u;
-        return ((u = O.otp) == null ? void 0 : u.call(O, n, i)) || Promise.reject(new Error("OTP not configured"));
+        return ((u = h.passkey) == null ? void 0 : u.call(h, c)) || Promise.reject(new Error("Passkey not configured"));
+      },
+      otp: (c, u) => {
+        var d;
+        return ((d = h.otp) == null ? void 0 : d.call(h, c, u)) || Promise.reject(new Error("OTP not configured"));
       }
     }
   };
-  if (s.refreshSession) {
-    const n = he(
-      async () => await C.refreshSession(),
-      async () => await C.signOut(),
+  if (t.refreshSession) {
+    const c = Ge(
+      async () => await _.refreshSession(),
+      async () => await _.signOut(),
       async () => {
-        await T();
+        await v.clearSessionCookie(), v.clearCache();
       },
       {
-        ...c,
-        onTokenRefreshed: c.onTokenRefreshed,
-        onTokenRefreshFailed: c.onTokenRefreshFailed,
-        onBeforeRedirect: c.onBeforeRedirect
+        ...o,
+        onTokenRefreshed: o.onTokenRefreshed,
+        onTokenRefreshFailed: o.onTokenRefreshFailed,
+        onBeforeRedirect: o.onBeforeRedirect
       }
     );
-    C._tokenRefreshManager = n, C._getTokenRefreshManager = () => n;
+    _._tokenRefreshManager = c, _._getTokenRefreshManager = () => c;
   }
-  return C;
+  return _;
 }
-function ze(r) {
+function rt(e) {
   return {
-    GET: async (e) => W(e, r, "GET"),
-    POST: async (e) => W(e, r, "POST")
+    GET: async (r) => B(r, e, "GET"),
+    POST: async (r) => B(r, e, "POST")
   };
 }
-async function W(r, e, s) {
-  const t = new URL(r.url), o = t.pathname.replace(/^\/api\/auth/, "") || "/session", d = o.split("/").filter(Boolean);
+async function B(e, r, t) {
+  const n = new URL(e.url), s = or(n.pathname), i = s.split("/").filter(Boolean);
   try {
-    if (s === "GET") {
-      if (o === "/session" || o === "/") {
-        const c = await e.getSession();
-        return f.json({ session: c });
-      }
-      if (o === "/providers")
-        return f.json({
-          providers: {
-            email: !!e.signIn.email,
-            oauth: !!e.signIn.oauth,
-            passkey: !!e.signIn.passkey
-          }
-        });
-      if (o.startsWith("/oauth/callback") || d[0] === "oauth" && d[1] === "callback") {
-        if (!e.oauthCallback)
-          return f.redirect(new URL("/login?error=oauth_not_configured", r.url));
-        const c = d[2] || t.searchParams.get("provider"), a = t.searchParams.get("code"), m = t.searchParams.get("state");
-        if (!c || !a || !m)
-          return f.redirect(new URL("/login?error=oauth_missing_params", r.url));
-        try {
-          const k = await e.oauthCallback(c, a, m);
-          if (k.success) {
-            const I = t.searchParams.get("callbackUrl") || "/";
-            return f.redirect(new URL(I, r.url));
-          } else
-            return f.redirect(
-              new URL(`/login?error=${encodeURIComponent(k.error || "oauth_failed")}`, r.url)
-            );
-        } catch (k) {
-          return f.redirect(
-            new URL(
-              `/login?error=${encodeURIComponent(k instanceof Error ? k.message : "oauth_error")}`,
-              r.url
-            )
-          );
-        }
-      }
-      return f.json(
-        { error: "Not found" },
-        { status: 404 }
-      );
-    }
-    if (s === "POST") {
-      const c = await r.json().catch(() => ({}));
-      if (o === "/sign-in" || d[0] === "sign-in") {
-        if (c.provider === "email" && c.email && c.password) {
-          const a = await e.signIn.email({
-            email: c.email,
-            password: c.password
-          });
-          return f.json(a);
-        }
-        if (c.provider === "oauth" && c.providerName) {
-          if (!e.signIn.oauth)
-            return f.json(
-              { success: !1, error: "OAuth is not configured" },
-              { status: 400 }
-            );
-          const a = await e.signIn.oauth(c.providerName);
-          return f.json(a);
-        }
-        if (c.provider === "passkey") {
-          if (!e.signIn.passkey)
-            return f.json(
-              { success: !1, error: "PassKey is not configured" },
-              { status: 400 }
-            );
-          const a = await e.signIn.passkey(c.options);
-          return f.json(a);
-        }
-        return f.json(
-          { success: !1, error: "Invalid sign in request" },
-          { status: 400 }
-        );
-      }
-      if (o === "/sign-up" || d[0] === "sign-up") {
-        if (!e.signUp)
-          return f.json(
-            { success: !1, error: "Sign up is not configured" },
-            { status: 400 }
-          );
-        const a = await e.signUp(c);
-        return f.json(a);
-      }
-      if (o === "/sign-out" || d[0] === "sign-out") {
-        const a = await e.signOut();
-        return f.json(a);
-      }
-      if (o === "/reset-password" || d[0] === "reset-password") {
-        if (!e.resetPassword)
-          return f.json(
-            { success: !1, error: "Password reset is not configured" },
-            { status: 400 }
-          );
-        const a = await e.resetPassword(c.email);
-        return f.json(a);
-      }
-      if (o === "/verify-email" || d[0] === "verify-email") {
-        if (!e.verifyEmail)
-          return f.json(
-            { success: !1, error: "Email verification is not configured" },
-            { status: 400 }
-          );
-        const a = await e.verifyEmail(c.token);
-        return f.json(a);
-      }
-      if (o === "/refresh" || d[0] === "refresh") {
-        if (!e.refreshSession) {
-          const m = await e.getSession();
-          return f.json({ session: m });
-        }
-        const a = await e.refreshSession();
-        return f.json({ session: a });
-      }
-      if (o.startsWith("/oauth/callback") || d[0] === "oauth" && d[1] === "callback") {
-        if (!e.oauthCallback)
-          return f.json(
-            { success: !1, error: "OAuth callback is not configured" },
-            { status: 400 }
-          );
-        const a = c.provider || d[2] || t.searchParams.get("provider"), m = c.code || t.searchParams.get("code"), k = c.state || t.searchParams.get("state");
-        if (!a || !m || !k)
-          return f.json(
-            {
-              success: !1,
-              error: "Missing required OAuth parameters. Provider, code, and state are required."
-            },
-            { status: 400 }
-          );
-        const I = await e.oauthCallback(a, m, k);
-        return f.json(I);
-      }
-      if (o.startsWith("/passkey")) {
-        if (!e.passkey)
-          return f.json(
-            { success: !1, error: "PassKey is not configured" },
-            { status: 400 }
-          );
-        if (d[1] === "register" && e.passkey.register) {
-          const a = await e.passkey.register(c.options);
-          return f.json(a);
-        }
-        if (d[1] === "list" && e.passkey.list) {
-          const a = await e.passkey.list();
-          return f.json(a);
-        }
-        if (d[1] === "remove" && e.passkey.remove) {
-          const a = await e.passkey.remove(c.passkeyId);
-          return f.json(a);
-        }
-      }
-      if (o === "/verify-2fa" || d[0] === "verify-2fa") {
-        if (!e.verify2FA)
-          return f.json(
-            { success: !1, error: "2FA verification is not configured" },
-            { status: 400 }
-          );
-        if (!c.email || !c.userId || !c.code)
-          return f.json(
-            {
-              success: !1,
-              error: "Missing required parameters. Email, userId, and code are required."
-            },
-            { status: 400 }
-          );
-        const a = await e.verify2FA({
-          email: c.email,
-          userId: c.userId,
-          code: c.code
-        });
-        return f.json(a);
-      }
-      if (o.startsWith("/two-factor")) {
-        if (!e.twoFactor)
-          return f.json(
-            { success: !1, error: "Two-Factor Authentication is not configured" },
-            { status: 400 }
-          );
-        if (d[1] === "enable" && e.twoFactor.enable) {
-          const a = await e.twoFactor.enable();
-          return f.json(a);
-        }
-        if (d[1] === "verify" && e.twoFactor.verify) {
-          const a = await e.twoFactor.verify(c.code);
-          return f.json(a);
-        }
-        if (d[1] === "disable" && e.twoFactor.disable) {
-          const a = await e.twoFactor.disable();
-          return f.json(a);
-        }
-        if (d[1] === "backup-codes" && e.twoFactor.generateBackupCodes) {
-          const a = await e.twoFactor.generateBackupCodes();
-          return f.json(a);
-        }
-        if (d[1] === "is-enabled" && e.twoFactor.isEnabled) {
-          const a = await e.twoFactor.isEnabled();
-          return f.json({ enabled: a });
-        }
-      }
-      return f.json(
-        { error: "Not found" },
-        { status: 404 }
-      );
-    }
-    return f.json(
-      { error: "Method not allowed" },
-      { status: 405 }
-    );
-  } catch (c) {
-    return f.json(
-      {
-        success: !1,
-        error: c instanceof Error ? c.message : "Request failed"
-      },
-      { status: 500 }
+    return t === "GET" ? await ar(e, r, s, i, n) : t === "POST" ? await cr(e, r, s, i, n) : O("Method not allowed", 405);
+  } catch (o) {
+    return O(
+      o instanceof Error ? o.message : "Request failed",
+      500
     );
   }
 }
-function We(r) {
-  return async (e) => {
-    const { method: s, nextUrl: t } = e, d = t.pathname.replace(/^\/api\/auth/, "") || "/";
+function or(e) {
+  return e.replace(/^\/api\/auth/, "") || "/session";
+}
+async function ar(e, r, t, n, s) {
+  if (t === "/session" || t === "/") {
+    const i = await r.getSession();
+    return E.json({ session: i });
+  }
+  return t === "/providers" ? E.json({
+    providers: {
+      email: !!r.signIn.email,
+      oauth: !!r.signIn.oauth,
+      passkey: !!r.signIn.passkey
+    }
+  }) : re(t, n) ? await te(e, r, t, n, s, "GET") : O("Not found", 404);
+}
+async function cr(e, r, t, n, s) {
+  const i = await ur(e);
+  return t === "/sign-in" || n[0] === "sign-in" ? await fr(r, i) : t === "/sign-up" || n[0] === "sign-up" ? await dr(r, i) : t === "/sign-out" || n[0] === "sign-out" ? await hr(r) : t === "/reset-password" || n[0] === "reset-password" ? await gr(r, i) : t === "/verify-email" || n[0] === "verify-email" ? await wr(r, i) : t === "/refresh" || n[0] === "refresh" ? await pr(r) : re(t, n) ? await te(e, r, t, n, s, "POST", i) : t.startsWith("/passkey") ? await Er(r, t, n, i) : t === "/verify-2fa" || n[0] === "verify-2fa" ? await mr(r, i) : t.startsWith("/two-factor") ? await yr(r, n, i) : O("Not found", 404);
+}
+async function ur(e) {
+  try {
+    return await e.json();
+  } catch {
+    return {};
+  }
+}
+function re(e, r) {
+  return e === "/callback" || e.startsWith("/oauth/callback") || r[0] === "oauth" && r[1] === "callback" || r[0] === "callback";
+}
+async function te(e, r, t, n, s, i, o) {
+  if (!r.oauthCallback)
+    return i === "GET" ? V(e.url, "oauth_not_configured") : O("OAuth callback is not configured", 400);
+  const a = lr(n, s, o), l = (o == null ? void 0 : o.code) ?? s.searchParams.get("code"), f = (o == null ? void 0 : o.state) ?? s.searchParams.get("state");
+  if (!l || !f)
+    return i === "GET" ? V(e.url, "oauth_missing_params") : O("Missing required OAuth parameters. Code and state are required.", 400);
+  try {
+    const w = await r.oauthCallback(a ?? "", l, f);
+    return i === "GET" ? w.success ? kr(e.url, s.searchParams.get("callbackUrl")) : V(e.url, w.error ?? "oauth_failed") : E.json(w);
+  } catch (w) {
+    return i === "GET" ? V(e.url, w instanceof Error ? w.message : "oauth_error") : O(w instanceof Error ? w.message : "OAuth callback failed", 500);
+  }
+}
+function lr(e, r, t) {
+  return t != null && t.provider ? t.provider : e[0] === "callback" && e[1] ? e[1] : e[0] === "oauth" && e[1] === "callback" && e[2] ? e[2] : r.searchParams.get("provider");
+}
+async function fr(e, r) {
+  if (r.provider === "email" && r.email && r.password) {
+    const t = {
+      email: r.email,
+      password: r.password
+    }, n = await e.signIn.email(t);
+    return E.json(n);
+  }
+  if (r.provider === "oauth" && r.providerName) {
+    if (!e.signIn.oauth)
+      return O("OAuth is not configured", 400);
+    const t = await e.signIn.oauth(r.providerName);
+    return E.json(t);
+  }
+  if (r.provider === "passkey") {
+    if (!e.signIn.passkey)
+      return O("PassKey is not configured", 400);
+    const t = await e.signIn.passkey(r.options);
+    return E.json(t);
+  }
+  return O("Invalid sign in request", 400);
+}
+async function dr(e, r) {
+  if (!e.signUp)
+    return O("Sign up is not configured", 400);
+  const t = await e.signUp(r);
+  return E.json(t);
+}
+async function hr(e) {
+  const r = await e.signOut();
+  return E.json(r);
+}
+async function gr(e, r) {
+  if (!e.resetPassword)
+    return O("Password reset is not configured", 400);
+  if (!r.email || typeof r.email != "string")
+    return O("Email is required", 400);
+  const t = await e.resetPassword(r.email);
+  return E.json(t);
+}
+async function wr(e, r) {
+  if (!e.verifyEmail)
+    return O("Email verification is not configured", 400);
+  if (!r.token || typeof r.token != "string")
+    return O("Token is required", 400);
+  const t = await e.verifyEmail(r.token);
+  return E.json(t);
+}
+async function pr(e) {
+  if (!e.refreshSession) {
+    const t = await e.getSession();
+    return E.json({ session: t });
+  }
+  const r = await e.refreshSession();
+  return E.json({ session: r });
+}
+async function mr(e, r) {
+  if (!e.verify2FA)
+    return O("2FA verification is not configured", 400);
+  if (!r.email || !r.userId || !r.code)
+    return O("Missing required parameters. Email, userId, and code are required.", 400);
+  const t = {
+    email: r.email,
+    userId: r.userId,
+    code: r.code
+  }, n = await e.verify2FA(t);
+  return E.json(n);
+}
+async function Er(e, r, t, n) {
+  if (!e.passkey)
+    return O("PassKey is not configured", 400);
+  const s = t[1];
+  if (s === "register" && e.passkey.register) {
+    const i = await e.passkey.register(n.options);
+    return E.json(i);
+  }
+  if (s === "list" && e.passkey.list) {
+    const i = await e.passkey.list();
+    return E.json(i);
+  }
+  if (s === "remove" && e.passkey.remove) {
+    if (!n.passkeyId || typeof n.passkeyId != "string")
+      return O("Passkey ID is required", 400);
+    const i = await e.passkey.remove(n.passkeyId);
+    return E.json(i);
+  }
+  return O("Invalid Passkey request", 400);
+}
+async function yr(e, r, t) {
+  if (!e.twoFactor)
+    return O("Two-Factor Authentication is not configured", 400);
+  const n = r[1];
+  if (n === "enable" && e.twoFactor.enable) {
+    const s = await e.twoFactor.enable();
+    return E.json(s);
+  }
+  if (n === "verify" && e.twoFactor.verify) {
+    if (!t.code || typeof t.code != "string")
+      return O("Code is required", 400);
+    const s = await e.twoFactor.verify(t.code);
+    return E.json(s);
+  }
+  if (n === "disable" && e.twoFactor.disable) {
+    const s = await e.twoFactor.disable();
+    return E.json(s);
+  }
+  if (n === "backup-codes" && e.twoFactor.generateBackupCodes) {
+    const s = await e.twoFactor.generateBackupCodes();
+    return E.json(s);
+  }
+  if (n === "is-enabled" && e.twoFactor.isEnabled) {
+    const s = await e.twoFactor.isEnabled();
+    return E.json({ enabled: s });
+  }
+  return O("Invalid two-factor request", 400);
+}
+function O(e, r) {
+  return E.json(
+    {
+      success: !1,
+      error: e
+    },
+    { status: r }
+  );
+}
+function V(e, r) {
+  return E.redirect(new URL(`/login?error=${encodeURIComponent(r)}`, e));
+}
+function kr(e, r) {
+  const t = r ?? "/";
+  return E.redirect(new URL(t, e));
+}
+function tt(e) {
+  return async (r) => {
+    const { method: t, nextUrl: n } = r, i = n.pathname.replace(/^\/api\/auth/, "") || "/";
     try {
-      let c;
-      if (s !== "GET" && s !== "HEAD")
+      let o;
+      if (t !== "GET" && t !== "HEAD")
         try {
-          c = await e.json();
+          o = await r.json();
         } catch {
         }
-      const a = Object.fromEntries(t.searchParams.entries()), m = await fetch(
-        `${process.env.NEXT_PUBLIC_API_URL || ""}/api/auth${d}${Object.keys(a).length > 0 ? `?${new URLSearchParams(a).toString()}` : ""}`,
+      const a = Object.fromEntries(n.searchParams.entries()), l = await fetch(
+        `${process.env.NEXT_PUBLIC_API_URL || ""}/api/auth${i}${Object.keys(a).length > 0 ? `?${new URLSearchParams(a).toString()}` : ""}`,
         {
-          method: s,
+          method: t,
           headers: {
             "Content-Type": "application/json",
-            ...Object.fromEntries(e.headers.entries())
+            ...Object.fromEntries(r.headers.entries())
           },
-          body: c ? JSON.stringify(c) : void 0
+          body: o ? JSON.stringify(o) : void 0
         }
-      ), k = await m.json();
-      return f.json(k, {
-        status: m.status,
+      ), f = await l.json();
+      return E.json(f, {
+        status: l.status,
         headers: {
-          ...Object.fromEntries(m.headers.entries())
+          ...Object.fromEntries(l.headers.entries())
         }
       });
-    } catch (c) {
-      return console.error("API handler error:", c), f.json(
+    } catch (o) {
+      return console.error("API handler error:", o), E.json(
         {
           success: !1,
-          error: c instanceof Error ? c.message : "Internal server error"
+          error: o instanceof Error ? o.message : "Internal server error"
         },
         { status: 500 }
       );
     }
   };
 }
-function qe(r) {
-  return async (e) => {
-    const { searchParams: s } = e.nextUrl, t = s.get("provider"), o = s.get("code"), d = s.get("state");
-    if (!t || !o || !d)
-      return f.redirect(
-        new URL("/login?error=oauth_missing_params", e.url)
+function nt(e) {
+  return async (r) => {
+    const { searchParams: t } = r.nextUrl, n = t.get("provider"), s = t.get("code"), i = t.get("state");
+    if (!n || !s || !i)
+      return E.redirect(
+        new URL("/login?error=oauth_missing_params", r.url)
       );
     try {
-      if (!r.oauthCallback)
-        return f.redirect(
-          new URL("/login?error=oauth_not_configured", e.url)
+      if (!e.oauthCallback)
+        return E.redirect(
+          new URL("/login?error=oauth_not_configured", r.url)
         );
-      const c = await r.oauthCallback(t, o, d);
-      if (c.success) {
-        const a = s.get("callbackUrl") || "/";
-        return f.redirect(new URL(a, e.url));
+      const o = await e.oauthCallback(n, s, i);
+      if (o.success) {
+        const a = t.get("callbackUrl") || "/";
+        return E.redirect(new URL(a, r.url));
       } else {
-        const a = c.errorCode ? `${encodeURIComponent(c.error || "oauth_failed")}&code=${c.errorCode}` : encodeURIComponent(c.error || "oauth_failed");
-        return f.redirect(
-          new URL(`/login?error=${a}`, e.url)
+        const a = o.errorCode ? `${encodeURIComponent(o.error || "oauth_failed")}&code=${o.errorCode}` : encodeURIComponent(o.error || "oauth_failed");
+        return E.redirect(
+          new URL(`/login?error=${a}`, r.url)
         );
       }
-    } catch (c) {
-      return process.env.NODE_ENV === "development" && console.error("[Mulguard] OAuth callback error:", c), f.redirect(
+    } catch (o) {
+      return process.env.NODE_ENV === "development" && console.error("[Mulguard] OAuth callback error:", o), E.redirect(
         new URL(
-          `/login?error=${encodeURIComponent(c instanceof Error ? c.message : "oauth_error")}`,
-          e.url
+          `/login?error=${encodeURIComponent(o instanceof Error ? o.message : "oauth_error")}`,
+          r.url
         )
       );
     }
   };
 }
-function L(r, e) {
-  const s = q({
+function F(e, r) {
+  const t = H({
     // Customize headers if needed
     "X-Frame-Options": "SAMEORIGIN"
     // Allow same-origin framing
   });
-  for (const [t, o] of Object.entries(s))
-    o && typeof o == "string" && e.headers.set(t, o);
-  return e;
+  for (const [n, s] of Object.entries(t))
+    s && typeof s == "string" && r.headers.set(n, s);
+  return r;
 }
-function Be() {
-  return async (r) => {
-    const e = f.next();
-    return L(r, e);
+function st() {
+  return async (e) => {
+    const r = E.next();
+    return F(e, r);
   };
 }
-function He(r, e = {}) {
+function it(e, r = {}) {
   const {
-    protectedRoutes: s = [],
-    publicRoutes: t = [],
-    redirectTo: o = "/login",
-    redirectIfAuthenticated: d
-  } = e;
-  return async (c) => {
-    const { pathname: a } = c.nextUrl, m = s.some((g) => a.startsWith(g));
-    let k = null;
+    protectedRoutes: t = [],
+    publicRoutes: n = [],
+    redirectTo: s = "/login",
+    redirectIfAuthenticated: i
+  } = r;
+  return async (o) => {
+    const { pathname: a } = o.nextUrl, l = t.some((g) => a.startsWith(g));
+    let f = null;
     try {
-      k = await r.getSession();
+      f = await e.getSession();
     } catch (g) {
       console.error("Middleware: Failed to get session:", g);
     }
-    if (m && !k) {
-      const g = c.nextUrl.clone();
-      return g.pathname = o, g.searchParams.set("callbackUrl", a), f.redirect(g);
+    if (l && !f) {
+      const g = o.nextUrl.clone();
+      return g.pathname = s, g.searchParams.set("callbackUrl", a), E.redirect(g);
     }
-    if (d && k && (a.startsWith("/login") || a.startsWith("/register"))) {
-      const A = c.nextUrl.clone();
-      A.pathname = d;
-      const _ = f.redirect(A);
-      return L(c, _);
+    if (i && f && (a.startsWith("/login") || a.startsWith("/register"))) {
+      const A = o.nextUrl.clone();
+      A.pathname = i;
+      const S = E.redirect(A);
+      return F(o, S);
     }
-    const I = f.next();
-    return L(c, I);
+    const w = E.next();
+    return F(o, w);
   };
 }
-async function Ke(r, e) {
-  var s;
+async function ot(e, r) {
+  var t;
   try {
-    const t = await r.getSession();
-    return t ? ((s = t.user.roles) == null ? void 0 : s.includes(e)) ?? !1 : !1;
+    const n = await e.getSession();
+    return n ? ((t = n.user.roles) == null ? void 0 : t.includes(r)) ?? !1 : !1;
   } catch {
     return !1;
   }
 }
-function Xe(r) {
+function at(e) {
   const {
-    auth: e,
-    protectedRoutes: s = [],
-    publicRoutes: t = [],
-    redirectTo: o = "/login",
-    redirectIfAuthenticated: d,
-    apiPrefix: c = "/api/auth"
-  } = r;
+    auth: r,
+    protectedRoutes: t = [],
+    publicRoutes: n = [],
+    redirectTo: s = "/login",
+    redirectIfAuthenticated: i,
+    apiPrefix: o = "/api/auth"
+  } = e;
   return async (a) => {
-    const { pathname: m } = a.nextUrl;
-    if (m.startsWith(c)) {
-      const A = f.next();
-      return L(a, A);
+    const { pathname: l } = a.nextUrl;
+    if (l.startsWith(o)) {
+      const A = E.next();
+      return F(a, A);
     }
-    const k = s.some((A) => m.startsWith(A));
-    let I = null;
-    if (k || d)
+    const f = t.some((A) => l.startsWith(A));
+    let w = null;
+    if (f || i)
       try {
-        I = await e.getSession();
+        w = await r.getSession();
       } catch (A) {
         console.error("Middleware: Failed to get session:", A);
       }
-    if (k && !I) {
+    if (f && !w) {
       const A = a.nextUrl.clone();
-      A.pathname = o, A.searchParams.set("callbackUrl", m);
-      const _ = f.redirect(A);
-      return L(a, _);
+      A.pathname = s, A.searchParams.set("callbackUrl", l);
+      const S = E.redirect(A);
+      return F(a, S);
     }
-    if (d && I && (m.startsWith("/login") || m.startsWith("/register"))) {
-      const _ = a.nextUrl.clone();
-      _.pathname = d;
-      const b = f.redirect(_);
-      return L(a, b);
+    if (i && w && (l.startsWith("/login") || l.startsWith("/register"))) {
+      const S = a.nextUrl.clone();
+      S.pathname = i;
+      const v = E.redirect(S);
+      return F(a, v);
     }
-    const g = f.next();
-    return L(a, g);
+    const g = E.next();
+    return F(a, g);
   };
 }
-async function Ye(r, e) {
-  var s;
+async function ct(e, r) {
+  var t;
   try {
-    const t = await r.getSession();
-    return t ? ((s = t.user.roles) == null ? void 0 : s.includes(e)) ?? !1 : !1;
+    const n = await e.getSession();
+    return n ? ((t = n.user.roles) == null ? void 0 : t.includes(r)) ?? !1 : !1;
   } catch {
     return !1;
   }
 }
 export {
-  te as CSRFProtection,
-  ee as DEFAULT_SECURITY_HEADERS,
-  re as MemoryCSRFStore,
-  fe as MemoryOAuthStateStore,
-  Z as RateLimiter,
-  Re as applySecurityHeaders,
-  X as buildCookieOptions,
-  ce as buildOAuthAuthorizationUrl,
-  Ke as checkRole,
-  Ye as checkRoleProxy,
-  Pe as containsXSSPattern,
-  We as createApiHandler,
-  He as createAuthMiddleware,
-  Oe as createCSRFProtection,
-  de as createMemoryOAuthStateStore,
-  qe as createOAuthCallbackHandler,
-  Xe as createProxyMiddleware,
-  ve as createRateLimiter,
-  Be as createSecurityMiddleware,
-  sr as createServerAuthMiddleware,
-  nr as createServerHelpers,
-  or as createServerUtils,
-  ir as createSessionManager,
-  J as deleteCookie,
-  ar as deleteOAuthStateCookie,
-  se as escapeHTML,
-  le as exchangeOAuthCode,
-  ne as generateCSRFToken,
-  B as generateToken,
-  G as getCookie,
-  cr as getCurrentUser,
-  xe as getErrorCode,
-  Fe as getErrorMessage,
-  lr as getOAuthStateCookie,
-  ue as getOAuthUserInfo,
-  $ as getProviderMetadata,
-  q as getSecurityHeaders,
-  ur as getServerSession,
-  fr as getSessionTimeUntilExpiry,
-  Ve as getUserFriendlyError,
-  je as hasErrorCode,
-  ie as isAuthError,
-  Le as isAuthSuccess,
-  De as isRetryableError,
-  dr as isSessionExpiredNullable,
-  gr as isSessionExpiringSoon,
-  hr as isSessionValid,
-  Ne as isTwoFactorRequired,
-  Ue as isValidEmail,
-  Me as mulguard,
-  wr as refreshSession,
-  mr as requireAuth,
-  pr as requireRole,
-  yr as requireServerAuthMiddleware,
-  Er as requireServerRoleMiddleware,
-  be as sanitizeHTML,
-  Ce as sanitizeInput,
-  Te as sanitizeUserInput,
-  Y as setCookie,
-  $e as signIn,
-  Qe as signInEmailAction,
-  Ze as signOutAction,
-  er as signUpAction,
-  kr as storeOAuthStateCookie,
-  ze as toNextJsHandler,
-  M as validateAndSanitizeEmail,
-  z as validateAndSanitizeInput,
-  Se as validateAndSanitizeName,
-  Ae as validateAndSanitizePassword,
-  oe as validateCSRFToken,
-  x as validateSessionStructure,
-  _e as validateToken,
-  Ie as validateURL,
-  rr as verify2FAAction,
-  L as withSecurityHeaders
+  Te as CSRFProtection,
+  fe as DEFAULT_SECURITY_HEADERS,
+  Oe as MemoryCSRFStore,
+  ze as MemoryOAuthStateStore,
+  le as RateLimiter,
+  Tr as applySecurityHeaders,
+  oe as buildCookieOptions,
+  be as buildOAuthAuthorizationUrl,
+  ot as checkRole,
+  ct as checkRoleProxy,
+  Vr as containsXSSPattern,
+  tt as createApiHandler,
+  it as createAuthMiddleware,
+  Dr as createCSRFProtection,
+  $e as createMemoryOAuthStateStore,
+  nt as createOAuthCallbackHandler,
+  at as createProxyMiddleware,
+  Or as createRateLimiter,
+  Zr as createRedisOAuthStateStore,
+  st as createSecurityMiddleware,
+  pt as createServerAuthMiddleware,
+  mt as createServerHelpers,
+  Et as createServerUtils,
+  yt as createSessionManager,
+  ie as deleteCookie,
+  kt as deleteOAuthStateCookie,
+  Ie as escapeHTML,
+  Ue as exchangeOAuthCode,
+  _e as generateCSRFToken,
+  Y as generateToken,
+  ce as getCookie,
+  vt as getCurrentUser,
+  Br as getErrorCode,
+  qr as getErrorMessage,
+  St as getOAuthStateCookie,
+  Fe as getOAuthUserInfo,
+  j as getProviderMetadata,
+  H as getSecurityHeaders,
+  Rt as getServerSession,
+  At as getSessionTimeUntilExpiry,
+  Xr as getUserFriendlyError,
+  Gr as hasErrorCode,
+  Ce as isAuthError,
+  Hr as isAuthSuccess,
+  Qr as isOAuthProviderConfig,
+  Kr as isRetryableError,
+  Ot as isSessionExpiredNullable,
+  Tt as isSessionExpiringSoon,
+  It as isSessionValid,
+  Yr as isSupportedProvider,
+  Wr as isTwoFactorRequired,
+  jr as isValidCSRFToken,
+  $r as isValidEmail,
+  xr as isValidInput,
+  Cr as isValidName,
+  _r as isValidPassword,
+  Fr as isValidToken,
+  Ur as isValidURL,
+  et as mulguard,
+  _t as refreshSession,
+  Pt as requireAuth,
+  Ct as requireRole,
+  bt as requireServerAuthMiddleware,
+  Ut as requireServerRoleMiddleware,
+  Lr as sanitizeHTML,
+  zr as sanitizeInput,
+  Mr as sanitizeUserInput,
+  ae as setCookie,
+  Jr as signIn,
+  ft as signInEmailAction,
+  dt as signOutAction,
+  ht as signUpAction,
+  Nt as storeOAuthStateCookie,
+  rt as toNextJsHandler,
+  G as validateAndSanitizeEmail,
+  X as validateAndSanitizeInput,
+  Pr as validateAndSanitizeName,
+  Ir as validateAndSanitizePassword,
+  Q as validateCSRFToken,
+  N as validateSessionStructure,
+  Nr as validateToken,
+  br as validateURL,
+  gt as verify2FAAction,
+  F as withSecurityHeaders
 };