mulguard 1.1.6 → 1.1.8

package/dist/index/index.mjs

@@ -1,2229 +0,0 @@
-var ne = Object.defineProperty;
-var se = (e, r, t) => r in e ? ne(e, r, { enumerable: !0, configurable: !0, writable: !0, value: t }) : e[r] = t;
-var b = (e, r, t) => se(e, typeof r != "symbol" ? r + "" : r, t);
-import { A as m, d as oe, e as ie, c as ae, g as ce } from "../actions-DeCfLtHA.mjs";
-import { a as wt, s as pt, b as mt, v as Et } from "../actions-DeCfLtHA.mjs";
-import { v as U } from "../oauth-state-DKle8eCr.mjs";
-import { c as kt, p as vt, k as St, n as At, m as Rt, j as Ot, l as Tt, e as It, g as _t, b as Pt, i as Ct, a as Nt, o as bt, f as Ut, h as Ft, r as xt, d as Dt, s as Lt } from "../oauth-state-DKle8eCr.mjs";
-import { NextResponse as E } from "next/server";
-const x = typeof globalThis == "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
-/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-function ue(e = 32) {
-  if (x && typeof x.getRandomValues == "function")
-    return x.getRandomValues(new Uint8Array(e));
-  if (x && typeof x.randomBytes == "function")
-    return Uint8Array.from(x.randomBytes(e));
-  throw new Error("crypto.getRandomValues must be defined");
-}
-class le {
-  constructor(r) {
-    b(this, "attempts", /* @__PURE__ */ new Map());
-    b(this, "config");
-    this.config = r;
-  }
-  /**
-   * Check if request is allowed
-   */
-  check(r) {
-    const t = Date.now(), n = this.attempts.get(r);
-    return !n || n.resetAt < t ? (this.attempts.set(r, {
-      count: 1,
-      resetAt: t + this.config.windowMs
-    }), {
-      allowed: !0,
-      remaining: this.config.maxAttempts - 1,
-      resetAt: new Date(t + this.config.windowMs)
-    }) : n.count >= this.config.maxAttempts ? {
-      allowed: !1,
-      remaining: 0,
-      resetAt: new Date(n.resetAt)
-    } : (n.count++, {
-      allowed: !0,
-      remaining: this.config.maxAttempts - n.count,
-      resetAt: new Date(n.resetAt)
-    });
-  }
-  /**
-   * Reset rate limit for a key
-   */
-  reset(r) {
-    this.attempts.delete(r);
-  }
-  /**
-   * Clear all rate limits
-   */
-  clear() {
-    this.attempts.clear();
-  }
-}
-function _r(e) {
-  return new le(e);
-}
-const fe = {
-  "X-Content-Type-Options": "nosniff",
-  "X-Frame-Options": "DENY",
-  "X-XSS-Protection": "1; mode=block",
-  "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
-  "Content-Security-Policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
-  "Referrer-Policy": "strict-origin-when-cross-origin",
-  "Permissions-Policy": "geolocation=(), microphone=(), camera=()"
-};
-function H(e) {
-  return {
-    ...fe,
-    ...e
-  };
-}
-function Pr(e, r) {
-  const t = H(r);
-  for (const [n, s] of Object.entries(t))
-    s && e.set(n, s);
-}
-const de = /^[^\s@]+@[^\s@]+\.[^\s@]+$/, he = 254;
-function G(e) {
-  var t;
-  if (typeof e != "string" || !e)
-    return { valid: !1, error: "Email is required" };
-  const r = e.trim().toLowerCase();
-  return de.test(r) ? r.length > he ? { valid: !1, error: "Email is too long" } : r.includes("..") || r.startsWith(".") || r.endsWith(".") ? { valid: !1, error: "Invalid email format" } : (t = r.split("@")[1]) != null && t.includes("..") ? { valid: !1, error: "Invalid email format" } : { valid: !0, sanitized: r } : { valid: !1, error: "Invalid email format" };
-}
-function K(e) {
-  return e.valid === !0 && e.sanitized !== void 0;
-}
-const ge = /* @__PURE__ */ new Set([
-  "password",
-  "12345678",
-  "qwerty",
-  "abc123",
-  "password123",
-  "123456789",
-  "1234567890",
-  "letmein",
-  "welcome",
-  "monkey",
-  "dragon",
-  "master",
-  "sunshine",
-  "princess",
-  "football",
-  "admin",
-  "root",
-  "test",
-  "guest",
-  "user"
-]), we = /012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i, pe = 8, me = 128;
-function Cr(e, r = pe) {
-  if (typeof e != "string" || !e)
-    return { valid: !1, error: "Password is required" };
-  if (e.length < r)
-    return { valid: !1, error: `Password must be at least ${r} characters` };
-  if (e.length > me)
-    return { valid: !1, error: "Password is too long" };
-  const t = e.toLowerCase();
-  if (ge.has(t))
-    return { valid: !1, error: "Password is too common" };
-  if (/(.)\1{3,}/.test(e))
-    return { valid: !1, error: "Password contains too many repeated characters" };
-  if (we.test(e))
-    return { valid: !1, error: "Password contains sequential characters" };
-  const n = Ee(e);
-  return { valid: !0, sanitized: e, strength: n };
-}
-function Ee(e) {
-  let r = 0;
-  return e.length >= 12 ? r += 2 : e.length >= 8 && (r += 1), /[a-z]/.test(e) && (r += 1), /[A-Z]/.test(e) && (r += 1), /[0-9]/.test(e) && (r += 1), /[^a-zA-Z0-9]/.test(e) && (r += 1), r >= 5 ? "strong" : r >= 3 ? "medium" : "weak";
-}
-function Nr(e) {
-  return e.valid === !0 && e.sanitized !== void 0;
-}
-const ye = 100;
-function br(e) {
-  if (typeof e != "string" || !e)
-    return { valid: !1, error: "Name is required" };
-  const r = e.trim();
-  if (r.length < 1)
-    return { valid: !1, error: "Name cannot be empty" };
-  if (r.length > ye)
-    return { valid: !1, error: "Name is too long" };
-  const t = r.replace(/[<>"']/g, "");
-  return t.length === 0 ? { valid: !1, error: "Name contains only invalid characters" } : { valid: !0, sanitized: t };
-}
-function Ur(e) {
-  return e.valid === !0 && e.sanitized !== void 0;
-}
-const ke = /* @__PURE__ */ new Set(["http:", "https:"]);
-function Fr(e) {
-  if (typeof e != "string" || !e)
-    return { valid: !1, error: "URL is required" };
-  try {
-    const r = new URL(e);
-    return ke.has(r.protocol) ? { valid: !0, sanitized: e } : { valid: !1, error: "URL must use http or https protocol" };
-  } catch {
-    return { valid: !1, error: "Invalid URL format" };
-  }
-}
-function xr(e) {
-  return e.valid === !0 && e.sanitized !== void 0;
-}
-const ve = 16, Se = 512, Ae = /^[A-Za-z0-9_-]+$/;
-function Dr(e, r = ve) {
-  return typeof e != "string" || !e ? { valid: !1, error: "Token is required" } : e.length < r ? { valid: !1, error: "Token is too short" } : e.length > Se ? { valid: !1, error: "Token is too long" } : Ae.test(e) ? /(.)\1{10,}/.test(e) ? { valid: !1, error: "Token contains suspicious pattern" } : { valid: !0, sanitized: e } : { valid: !1, error: "Invalid token format" };
-}
-function Lr(e) {
-  return e.valid === !0 && e.sanitized !== void 0;
-}
-const Re = 1e3;
-function X(e, r) {
-  const { maxLength: t = Re, allowHtml: n = !1, required: s = !0 } = r ?? {};
-  if (s && (typeof e != "string" || !e || e.trim().length === 0))
-    return { valid: !1, error: "Input is required" };
-  if (typeof e != "string" || !e)
-    return { valid: !0, sanitized: "" };
-  let o = e.trim();
-  return o.length > t ? { valid: !1, error: `Input must be less than ${t} characters` } : (n || (o = o.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;").replace(/\//g, "&#x2F;")), o = o.replace(/[\x00-\x1F\x7F]/g, ""), { valid: !0, sanitized: o });
-}
-function Mr(e) {
-  return e.valid === !0 && e.sanitized !== void 0;
-}
-class Oe {
-  constructor() {
-    b(this, "tokens", /* @__PURE__ */ new Map());
-  }
-  get(r) {
-    const t = this.tokens.get(r);
-    return t ? t.expiresAt < Date.now() ? (this.delete(r), null) : t.value : null;
-  }
-  set(r, t, n = 36e5) {
-    this.tokens.set(r, {
-      value: t,
-      expiresAt: Date.now() + n
-    });
-  }
-  delete(r) {
-    this.tokens.delete(r);
-  }
-  clear() {
-    this.tokens.clear();
-  }
-}
-class Te {
-  constructor(r, t = 32) {
-    b(this, "store");
-    b(this, "tokenLength");
-    this.store = r || new Oe(), this.tokenLength = t;
-  }
-  /**
-   * Generate CSRF token
-   */
-  generateToken(r, t) {
-    const n = Y(this.tokenLength);
-    return this.store.set(r, n, t), n;
-  }
-  /**
-   * Validate CSRF token
-   */
-  validateToken(r, t) {
-    const n = this.store.get(r);
-    if (!n)
-      return !1;
-    const s = Q(t, n);
-    return s && this.store.delete(r), s;
-  }
-  /**
-   * Get stored token without validating
-   */
-  getToken(r) {
-    return this.store.get(r);
-  }
-  /**
-   * Delete token
-   */
-  deleteToken(r) {
-    this.store.delete(r);
-  }
-}
-function Vr(e) {
-  return new Te(e);
-}
-function Ie(e) {
-  if (typeof e != "string")
-    return "";
-  const r = {
-    "&": "&amp;",
-    "<": "&lt;",
-    ">": "&gt;",
-    '"': "&quot;",
-    "'": "&#039;"
-  };
-  return e.replace(/[&<>"']/g, (t) => r[t] || t);
-}
-function jr(e) {
-  return typeof e != "string" ? "" : e.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "").replace(/on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:/gi, "");
-}
-function zr(e) {
-  return typeof e != "string" ? "" : Ie(e.trim());
-}
-function $r(e) {
-  return typeof e != "string" ? !1 : [
-    /<script/i,
-    /javascript:/i,
-    /on\w+\s*=/i,
-    /<iframe/i,
-    /<object/i,
-    /<embed/i,
-    /<link/i,
-    /<meta/i,
-    /expression\s*\(/i,
-    /vbscript:/i
-  ].some((t) => t.test(e));
-}
-const J = 32;
-function Y(e = J) {
-  if (e < 1 || e > 256)
-    throw new Error("Token length must be between 1 and 256 bytes");
-  const r = ue(e);
-  return Buffer.from(r).toString("base64url");
-}
-function _e() {
-  return Y(J);
-}
-function Q(e, r) {
-  if (typeof e != "string" || typeof r != "string" || !e || !r || e.length !== r.length)
-    return !1;
-  let t = 0;
-  for (let n = 0; n < e.length; n++)
-    t |= e.charCodeAt(n) ^ r.charCodeAt(n);
-  return t === 0;
-}
-function Wr(e, r) {
-  return Q(e, r);
-}
-function qr(e) {
-  return typeof e != "string" ? "" : e.trim().replace(/[<>]/g, "");
-}
-const Pe = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-function Br(e) {
-  return typeof e == "string" && Pe.test(e);
-}
-function Ce(e) {
-  return !e.success && !!e.error;
-}
-function Hr(e) {
-  return e.requires2FA === !0 || e.errorCode === m.TWO_FA_REQUIRED;
-}
-function Gr(e, r) {
-  return e.error ? e.error : r || "Authentication failed";
-}
-function Kr(e) {
-  return e.errorCode;
-}
-function Xr(e) {
-  return e.success === !0 && !!e.user;
-}
-function Jr(e, r) {
-  return e.errorCode === r;
-}
-function Yr(e) {
-  if (!Ce(e)) return !1;
-  const r = [
-    m.NETWORK_ERROR,
-    m.RATE_LIMITED,
-    m.UNKNOWN_ERROR
-  ];
-  return e.errorCode ? r.includes(e.errorCode) : !1;
-}
-function Qr(e) {
-  if (e.error) return e.error;
-  switch (e.errorCode) {
-    case m.INVALID_CREDENTIALS:
-      return "Invalid email or password. Please try again.";
-    case m.ACCOUNT_LOCKED:
-      return "Your account has been temporarily locked. Please try again later.";
-    case m.ACCOUNT_INACTIVE:
-      return "Your account is inactive. Please contact support.";
-    case m.TWO_FA_REQUIRED:
-      return "Two-factor authentication is required. Please enter your code.";
-    case m.INVALID_TWO_FA_CODE:
-      return "Invalid two-factor authentication code. Please try again.";
-    case m.SESSION_EXPIRED:
-      return "Your session has expired. Please sign in again.";
-    case m.UNAUTHORIZED:
-      return "You are not authorized to perform this action.";
-    case m.NETWORK_ERROR:
-      return "Network error. Please check your connection and try again.";
-    case m.VALIDATION_ERROR:
-      return "Please check your input and try again.";
-    case m.RATE_LIMITED:
-      return "Too many attempts. Please try again later.";
-    case m.UNKNOWN_ERROR:
-    default:
-      return "An unexpected error occurred. Please try again.";
-  }
-}
-async function Zr(e, r, t) {
-  return e.signIn(r, t);
-}
-const Z = {
-  google: {
-    authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-    tokenUrl: "https://oauth2.googleapis.com/token",
-    userInfoUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
-    defaultScopes: ["openid", "profile", "email"]
-  },
-  github: {
-    authorizationUrl: "https://github.com/login/oauth/authorize",
-    tokenUrl: "https://github.com/login/oauth/access_token",
-    userInfoUrl: "https://api.github.com/user",
-    defaultScopes: ["user:email"]
-  },
-  apple: {
-    authorizationUrl: "https://appleid.apple.com/auth/authorize",
-    tokenUrl: "https://appleid.apple.com/auth/token",
-    userInfoUrl: "https://appleid.apple.com/auth/userinfo",
-    defaultScopes: ["name", "email"],
-    defaultParams: {
-      response_mode: "form_post",
-      response_type: "code id_token"
-    }
-  },
-  facebook: {
-    authorizationUrl: "https://www.facebook.com/v18.0/dialog/oauth",
-    tokenUrl: "https://graph.facebook.com/v18.0/oauth/access_token",
-    userInfoUrl: "https://graph.facebook.com/v18.0/me?fields=id,name,email,picture",
-    defaultScopes: ["email", "public_profile"]
-  }
-};
-function j(e) {
-  return Z[e] ?? null;
-}
-function et(e) {
-  return e in Z;
-}
-function Ne(e, r, t, n) {
-  const s = j(e);
-  if (!s)
-    throw new Error(`Unknown OAuth provider: ${e}`);
-  if (!r.clientId)
-    throw new Error(`OAuth provider "${e}" is missing clientId`);
-  const o = r.redirectUri ?? `${t}/api/auth/callback/${e}`, i = r.scopes ?? s.defaultScopes, a = new URLSearchParams({
-    client_id: r.clientId,
-    redirect_uri: o,
-    response_type: "code",
-    scope: Array.isArray(i) ? i.join(" ") : String(i),
-    state: n
-  });
-  if (s.defaultParams)
-    for (const [u, f] of Object.entries(s.defaultParams))
-      a.append(u, f);
-  if (r.params)
-    for (const [u, f] of Object.entries(r.params))
-      a.set(u, f);
-  return `${s.authorizationUrl}?${a.toString()}`;
-}
-async function be(e, r, t, n) {
-  const s = j(e);
-  if (!s)
-    throw new Error(`Unknown OAuth provider: ${e}`);
-  if (!t || typeof t != "string")
-    throw new Error("Authorization code is required");
-  if (!r.clientId)
-    throw new Error(`OAuth provider "${e}" is missing clientId`);
-  const o = new URLSearchParams({
-    client_id: r.clientId,
-    code: t,
-    redirect_uri: n,
-    grant_type: "authorization_code"
-  });
-  r.clientSecret && o.append("client_secret", r.clientSecret);
-  try {
-    const i = await fetch(s.tokenUrl, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Accept: "application/json"
-      },
-      body: o.toString()
-    });
-    if (!i.ok) {
-      const u = await i.text();
-      let f = `Failed to exchange code for tokens: ${u}`;
-      try {
-        const g = JSON.parse(u);
-        f = g.error_description ?? g.error ?? f;
-      } catch {
-      }
-      throw new Error(f);
-    }
-    const a = await i.json();
-    if (!Ue(a))
-      throw new Error("Invalid token exchange response format");
-    return a;
-  } catch (i) {
-    throw i instanceof Error ? i : new Error(`OAuth token exchange failed: ${String(i)}`);
-  }
-}
-function Ue(e) {
-  return typeof e == "object" && e !== null && "access_token" in e && typeof e.access_token == "string";
-}
-async function Fe(e, r) {
-  const t = j(e);
-  if (!t)
-    throw new Error(`Unknown OAuth provider: ${e}`);
-  if (!r || typeof r != "string")
-    throw new Error("Access token is required");
-  try {
-    const n = await fetch(t.userInfoUrl, {
-      headers: {
-        Authorization: `Bearer ${r}`,
-        Accept: "application/json"
-      }
-    });
-    if (!n.ok) {
-      const o = await n.text();
-      let i = `Failed to fetch user info: ${o}`;
-      try {
-        const a = JSON.parse(o);
-        i = a.error_description ?? a.error ?? i;
-      } catch {
-      }
-      throw new Error(i);
-    }
-    const s = await n.json();
-    return xe(e, s, r);
-  } catch (n) {
-    throw n instanceof Error ? n : new Error(`OAuth user info retrieval failed: ${String(n)}`);
-  }
-}
-async function xe(e, r, t) {
-  switch (e) {
-    case "google":
-      return De(r);
-    case "github":
-      return await Le(r, t);
-    case "apple":
-      return Me(r);
-    case "facebook":
-      return Ve(r);
-    default:
-      return je(r);
-  }
-}
-function De(e) {
-  return {
-    id: String(e.sub ?? e.id ?? ""),
-    email: String(e.email ?? ""),
-    name: String(e.name ?? ""),
-    avatar: typeof e.picture == "string" ? e.picture : void 0,
-    emailVerified: !!e.email_verified,
-    rawProfile: e
-  };
-}
-async function Le(e, r) {
-  let t = typeof e.email == "string" ? e.email : void 0, n = { ...e };
-  if (!t)
-    try {
-      const s = await fetch("https://api.github.com/user/emails", {
-        headers: { Authorization: `Bearer ${r}` }
-      });
-      if (s.ok) {
-        const o = await s.json(), i = o.find((a) => a.primary) ?? o[0];
-        t = (i == null ? void 0 : i.email) ?? `${String(e.login ?? "user")}@users.noreply.github.com`, n = { ...e, emails: o };
-      } else
-        t = `${String(e.login ?? "user")}@users.noreply.github.com`;
-    } catch {
-      t = `${String(e.login ?? "user")}@users.noreply.github.com`;
-    }
-  return {
-    id: String(e.id ?? ""),
-    email: t ?? "",
-    name: String(e.name ?? e.login ?? ""),
-    avatar: typeof e.avatar_url == "string" ? e.avatar_url : void 0,
-    emailVerified: !!t,
-    rawProfile: n
-  };
-}
-function Me(e) {
-  const r = e.name, t = r ? `${r.firstName ?? ""} ${r.lastName ?? ""}`.trim() : "";
-  return {
-    id: String(e.sub ?? ""),
-    email: String(e.email ?? ""),
-    name: t,
-    emailVerified: !!e.email_verified,
-    rawProfile: e
-  };
-}
-function Ve(e) {
-  var t;
-  const r = e.picture;
-  return {
-    id: String(e.id ?? ""),
-    email: String(e.email ?? ""),
-    name: String(e.name ?? ""),
-    avatar: (t = r == null ? void 0 : r.data) == null ? void 0 : t.url,
-    emailVerified: !0,
-    rawProfile: e
-  };
-}
-function je(e) {
-  return {
-    id: String(e.id ?? e.sub ?? ""),
-    email: String(e.email ?? ""),
-    name: String(e.name ?? e.display_name ?? e.username ?? ""),
-    avatar: typeof e.avatar == "string" ? e.avatar : typeof e.picture == "string" ? e.picture : typeof e.avatar_url == "string" ? e.avatar_url : void 0,
-    emailVerified: !!(e.email_verified ?? e.emailVerified ?? !1),
-    rawProfile: e
-  };
-}
-function rt(e) {
-  return typeof e == "object" && e !== null && "clientId" in e && typeof e.clientId == "string";
-}
-const ze = "__mulguard_oauth_state", $e = 10 * 60 * 1e3;
-function We(e) {
-  const r = e.cookieName || ze, t = e.ttl || $e, n = process.env.NODE_ENV === "production", s = e.secure ?? n, o = e.sameSite || "strict", i = e.cookieHandler, a = (u) => ({
-    httpOnly: !0,
-    secure: s,
-    sameSite: o,
-    maxAge: Math.floor(u / 1e3),
-    // Convert to seconds
-    path: "/"
-  });
-  return {
-    async set(u, f, g) {
-      const w = JSON.stringify({
-        state: u,
-        provider: f.provider,
-        expiresAt: f.expiresAt
-      });
-      await Promise.resolve(
-        i.setCookie(r, w, a(t))
-      );
-    },
-    async get(u) {
-      const f = await Promise.resolve(i.getCookie(r));
-      if (!f)
-        return null;
-      try {
-        const g = JSON.parse(f);
-        return g.state !== u ? null : g.expiresAt < Date.now() ? (await Promise.resolve(
-          i.deleteCookie(r, { path: "/" })
-        ), null) : {
-          provider: g.provider,
-          expiresAt: g.expiresAt
-        };
-      } catch {
-        return await Promise.resolve(
-          i.deleteCookie(r, { path: "/" })
-        ), null;
-      }
-    },
-    async delete(u) {
-      await this.get(u) && await Promise.resolve(
-        i.deleteCookie(r, { path: "/" })
-      );
-    },
-    async cleanup() {
-    }
-  };
-}
-function tt() {
-  return We({
-    cookieHandler: {
-      async getCookie(e) {
-        var r;
-        try {
-          const { cookies: t } = await import("next/headers");
-          return ((r = (await t()).get(e)) == null ? void 0 : r.value) || null;
-        } catch {
-          return null;
-        }
-      },
-      async setCookie(e, r, t) {
-        try {
-          const { cookies: n } = await import("next/headers");
-          (await n()).set(e, r, {
-            httpOnly: t.httpOnly ?? !0,
-            secure: t.secure ?? process.env.NODE_ENV === "production",
-            sameSite: t.sameSite || "strict",
-            maxAge: t.maxAge,
-            path: t.path || "/"
-          });
-        } catch (n) {
-          console.warn("[Mulguard] Failed to set OAuth state cookie:", n);
-        }
-      },
-      async deleteCookie(e, r) {
-        try {
-          const { cookies: t } = await import("next/headers");
-          (await t()).set(e, "", {
-            maxAge: 0,
-            expires: /* @__PURE__ */ new Date(0),
-            path: (r == null ? void 0 : r.path) || "/"
-          });
-        } catch {
-        }
-      }
-    }
-  });
-}
-class qe {
-  constructor() {
-    b(this, "states", /* @__PURE__ */ new Map());
-  }
-  set(r, t, n) {
-    this.states.set(r, t), this.cleanup();
-  }
-  get(r) {
-    const t = this.states.get(r);
-    return t ? t.expiresAt < Date.now() ? (this.delete(r), null) : t : null;
-  }
-  delete(r) {
-    this.states.delete(r);
-  }
-  cleanup() {
-    const r = Date.now();
-    for (const [t, n] of this.states.entries())
-      n.expiresAt < r && this.states.delete(t);
-  }
-}
-function Be() {
-  return new qe();
-}
-function nt(e, r = "mulguard:oauth:state:") {
-  const t = (s) => `${r}${s}`, n = async (s) => {
-    const o = t(s);
-    await e.del(o);
-  };
-  return {
-    async set(s, o, i) {
-      const a = t(s), u = JSON.stringify(o);
-      await e.set(a, u, "EX", Math.floor(i / 1e3));
-    },
-    async get(s) {
-      const o = t(s), i = await e.get(o);
-      if (!i)
-        return null;
-      try {
-        const a = JSON.parse(i);
-        return a.expiresAt < Date.now() ? (await n(s), null) : a;
-      } catch {
-        return await n(s), null;
-      }
-    },
-    async delete(s) {
-      await n(s);
-    },
-    async cleanup() {
-      try {
-        const s = await e.keys(`${r}*`), o = Date.now();
-        for (const i of s) {
-          const a = await e.get(i);
-          if (a)
-            try {
-              JSON.parse(a).expiresAt < o && await e.del(i);
-            } catch {
-              await e.del(i);
-            }
-        }
-      } catch (s) {
-        console.warn("[Mulguard] OAuth state cleanup warning:", s);
-      }
-    }
-  };
-}
-function D(e) {
-  return e.success === !0 && e.user !== void 0 && e.session !== void 0;
-}
-var ee = /* @__PURE__ */ ((e) => (e[e.DEBUG = 0] = "DEBUG", e[e.INFO = 1] = "INFO", e[e.WARN = 2] = "WARN", e[e.ERROR = 3] = "ERROR", e))(ee || {});
-const He = process.env.NODE_ENV === "development" ? 0 : 1;
-function Ge(e = {}) {
-  const {
-    enabled: r = process.env.NODE_ENV === "development",
-    level: t = He,
-    context: n,
-    formatter: s = Ke
-  } = e, o = (a) => r && a >= t, i = (a, u, f, g) => ({
-    level: a,
-    message: u,
-    timestamp: /* @__PURE__ */ new Date(),
-    context: n,
-    data: f ? Xe(f) : void 0,
-    error: g
-  });
-  return {
-    debug: (a, u) => {
-      if (o(
-        0
-        /* DEBUG */
-      )) {
-        const f = i(0, a, u);
-        console.debug(s(f));
-      }
-    },
-    info: (a, u) => {
-      if (o(
-        1
-        /* INFO */
-      )) {
-        const f = i(1, a, u);
-        console.info(s(f));
-      }
-    },
-    warn: (a, u) => {
-      if (o(
-        2
-        /* WARN */
-      )) {
-        const f = i(2, a, u);
-        console.warn(s(f));
-      }
-    },
-    error: (a, u) => {
-      if (o(
-        3
-        /* ERROR */
-      )) {
-        const f = u instanceof Error ? u : void 0, g = u instanceof Error ? void 0 : u, w = i(3, a, g, f);
-        console.error(s(w)), f && console.error(f);
-      }
-    }
-  };
-}
-function Ke(e) {
-  const r = e.timestamp.toISOString(), t = ee[e.level], n = e.context ? `[${e.context}]` : "", s = e.data ? ` ${JSON.stringify(e.data)}` : "";
-  return `${r} [${t}]${n} ${e.message}${s}`;
-}
-function Xe(e) {
-  const r = /* @__PURE__ */ new Set(["password", "token", "secret", "key", "accessToken", "refreshToken"]), t = {};
-  for (const [n, s] of Object.entries(e))
-    if (r.has(n.toLowerCase()))
-      t[n] = "***REDACTED***";
-    else if (typeof s == "string" && n.toLowerCase().includes("email")) {
-      const o = s.split("@");
-      if (o.length === 2 && o[0]) {
-        const i = o[0].substring(0, 3) + "***@" + o[1];
-        t[n] = i;
-      } else
-        t[n] = s;
-    } else
-      t[n] = s;
-  return t;
-}
-const I = Ge();
-function Je(e, r, t, n = {}) {
-  const {
-    enabled: s = !0,
-    maxRetries: o = 1,
-    retryDelay: i = 1e3,
-    rateLimit: a = 3,
-    autoSignOutOnFailure: u = !0,
-    redirectToLogin: f = "/login",
-    autoRedirectOnFailure: g = !0
-  } = n;
-  let w = null, R = !1;
-  const A = [], S = [], y = 60 * 1e3;
-  let h = 0, T = !1, _ = null;
-  const L = 2, M = 60 * 1e3;
-  function c() {
-    const k = Date.now();
-    if (T && _) {
-      if (k < _)
-        return !1;
-      T = !1, _ = null, h = 0;
-    }
-    for (; S.length > 0; ) {
-      const p = S[0];
-      if (p !== void 0 && p < k - y)
-        S.shift();
-      else
-        break;
-    }
-    return S.length >= a ? !1 : (S.push(k), !0);
-  }
-  function l() {
-    h++, h >= L && (T = !0, _ = Date.now() + M, process.env.NODE_ENV === "development" && console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"));
-  }
-  function d() {
-    h = 0, T = !1, _ = null;
-  }
-  async function v(k = 1) {
-    if (!s)
-      return null;
-    if (!c())
-      throw new Error("Rate limit exceeded for token refresh");
-    try {
-      const p = await e();
-      if (p)
-        return d(), P(p), n.onTokenRefreshed && await Promise.resolve(n.onTokenRefreshed(p)), p;
-      if (l(), k < o)
-        return await $(i * k), v(k + 1);
-      throw new Error("Token refresh failed: refresh function returned null");
-    } catch (p) {
-      if (l(), k < o && C(p))
-        return await $(i * k), v(k + 1);
-      throw p;
-    }
-  }
-  function C(k) {
-    if (k instanceof Error) {
-      const p = k.message.toLowerCase();
-      if (p.includes("rate limit") || p.includes("too many requests") || p.includes("429") || p.includes("limit:") || p.includes("requests per minute") || p.includes("token_blacklisted") || p.includes("blacklisted") || p.includes("invalid") || p.includes("401") || p.includes("unauthorized") || p.includes("session has been revoked") || p.includes("session expired"))
-        return !1;
-      if (p.includes("network") || p.includes("fetch") || p.includes("timeout"))
-        return !0;
-    }
-    return !1;
-  }
-  function P(k) {
-    const p = [...A];
-    A.length = 0;
-    for (const { resolve: N } of p)
-      N(k);
-  }
-  function z(k) {
-    const p = [...A];
-    A.length = 0;
-    for (const { reject: N } of p)
-      N(k);
-  }
-  function $(k) {
-    return new Promise((p) => setTimeout(p, k));
-  }
-  async function W(k) {
-    try {
-      if (n.onTokenRefreshFailed && await Promise.resolve(n.onTokenRefreshFailed(k)), u && (await t(), await r(), g && typeof window < "u")) {
-        let p = !0;
-        if (n.onBeforeRedirect && (p = await Promise.resolve(n.onBeforeRedirect(k))), p) {
-          const N = new URL(f, window.location.origin);
-          N.searchParams.set("reason", "session_expired"), N.searchParams.set("redirect", window.location.pathname + window.location.search), window.location.href = N.toString();
-        }
-      }
-    } catch (p) {
-      process.env.NODE_ENV === "development" && console.error("[TokenRefreshManager] Error in handleRefreshFailure:", p);
-    }
-  }
-  return {
-    /**
-     * Refresh token with single refresh queue
-     */
-    async refreshToken() {
-      return s ? w || (R = !0, w = v().then((k) => (R = !1, w = null, k)).catch((k) => {
-        throw R = !1, w = null, z(k), W(k).catch(() => {
-        }), k;
-      }), w) : null;
-    },
-    /**
-     * Check if refresh is in progress
-     */
-    isRefreshing() {
-      return R;
-    },
-    /**
-     * Wait for current refresh to complete
-     */
-    async waitForRefresh() {
-      return w ? new Promise((k, p) => {
-        A.push({ resolve: k, reject: p });
-      }) : null;
-    },
-    /**
-     * Clear state
-     */
-    clear() {
-      w = null, R = !1, S.length = 0, d(), z(new Error("Token refresh manager cleared"));
-    },
-    /**
-     * Handle token refresh failure
-     */
-    async handleRefreshFailure(k) {
-      return W(k);
-    }
-  };
-}
-function Ye() {
-  const e = process.env.NODE_ENV === "production";
-  return {
-    cookieName: "__mulguard_session",
-    expiresIn: 60 * 60 * 24 * 7,
-    // 7 days
-    httpOnly: !0,
-    secure: e,
-    // HTTPS only in production
-    sameSite: "lax",
-    path: "/"
-  };
-}
-function Qe() {
-  return {
-    enabled: !0,
-    refreshThreshold: 300,
-    // 5 minutes before expiration
-    maxRetries: 0,
-    // No retries for blacklisted tokens
-    retryDelay: 1e3,
-    rateLimit: 1,
-    // 1 attempt per minute to prevent loops
-    autoSignOutOnFailure: !0,
-    redirectToLogin: "/login",
-    autoRedirectOnFailure: !0
-  };
-}
-function Ze() {
-  return process.env.NEXT_PUBLIC_URL ?? (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : "http://localhost:3000");
-}
-function er(e) {
-  const { sessionConfig: r, cacheTtl: t, getSessionAction: n, onSessionExpired: s, onError: o } = e, i = r.cookieName ?? "__mulguard_session";
-  let a = null;
-  const u = async () => {
-    const y = Date.now();
-    if (a && y - a.timestamp < t)
-      return a.session;
-    if (n)
-      try {
-        const h = await n();
-        if (h && U(h))
-          return a = { session: h, timestamp: y }, h;
-        h && !U(h) && (await g(), a = null);
-      } catch (h) {
-        I.debug("getSession error", { error: h }), o && await o(h instanceof Error ? h : new Error(String(h)), "getSession"), a = null;
-      }
-    try {
-      const h = await ce(i);
-      if (h)
-        try {
-          const T = JSON.parse(h);
-          if (U(T))
-            return T.expiresAt && new Date(T.expiresAt) < /* @__PURE__ */ new Date() ? (s && await s(T), await g(), a = null, null) : (a = { session: T, timestamp: y }, T);
-          await g(), a = null;
-        } catch {
-          await g(), a = null;
-        }
-    } catch (h) {
-      const T = h instanceof Error ? h.message : String(h);
-      !T.includes("request scope") && !T.includes("cookies") && (I.warn("getSession cookie error", { error: h }), o && await o(
-        h instanceof Error ? h : new Error(String(h)),
-        "getSession.cookie"
-      ));
-    }
-    return null;
-  }, f = async (y) => {
-    if (!U(y))
-      return {
-        success: !1,
-        error: "Invalid session structure"
-      };
-    try {
-      const h = typeof y == "object" && "token" in y ? String(y.token) : JSON.stringify(y), T = ie(i, h, r), _ = await ae(T);
-      return _.success && (a = { session: y, timestamp: Date.now() }), _;
-    } catch (h) {
-      const T = h instanceof Error ? h.message : "Failed to set session";
-      return I.error("setSession error", { error: h }), o && await o(h instanceof Error ? h : new Error(String(h)), "setSession"), {
-        success: !1,
-        error: T
-      };
-    }
-  }, g = async () => {
-    try {
-      await oe(i, {
-        path: r.path,
-        domain: r.domain
-      }), a = null;
-    } catch (y) {
-      I.warn("clearSessionCookie error", { error: y });
-    }
-  }, w = async () => {
-    const y = await u();
-    return y != null && y.accessToken && typeof y.accessToken == "string" ? y.accessToken : null;
-  };
-  return {
-    getSession: u,
-    setSession: f,
-    clearSessionCookie: g,
-    getAccessToken: w,
-    getRefreshToken: async () => {
-      const y = await u();
-      return y != null && y.refreshToken && typeof y.refreshToken == "string" ? y.refreshToken : null;
-    },
-    hasValidTokens: async () => !!await w(),
-    clearCache: () => {
-      a = null;
-    },
-    getSessionConfig: () => ({ cookieName: i, config: r })
-  };
-}
-function rr(e) {
-  return async (r) => {
-    try {
-      if (!r || typeof r != "object")
-        return {
-          success: !1,
-          error: "Invalid credentials",
-          errorCode: m.VALIDATION_ERROR
-        };
-      if (!r.email || typeof r.email != "string")
-        return {
-          success: !1,
-          error: "Email is required",
-          errorCode: m.VALIDATION_ERROR
-        };
-      const t = G(r.email);
-      if (!K(t))
-        return {
-          success: !1,
-          error: t.error ?? "Invalid email format",
-          errorCode: m.VALIDATION_ERROR
-        };
-      if (!r.password || typeof r.password != "string")
-        return {
-          success: !1,
-          error: "Password is required",
-          errorCode: m.VALIDATION_ERROR
-        };
-      if (r.password.length > 128)
-        return {
-          success: !1,
-          error: "Invalid credentials",
-          errorCode: m.VALIDATION_ERROR
-        };
-      const n = {
-        email: t.sanitized,
-        password: r.password
-        // Don't sanitize password (needed for hashing)
-      }, s = await e.actions.signIn.email(n);
-      if (D(s)) {
-        const o = await e.saveSessionAfterAuth(s);
-        !o.success && o.warning && I.warn("Session save warning", { warning: o.warning });
-      }
-      return s.success ? I.info("Sign in successful", {
-        email: n.email.substring(0, 3) + "***"
-      }) : I.warn("Sign in failed", {
-        email: n.email.substring(0, 3) + "***",
-        errorCode: s.errorCode
-      }), s;
-    } catch (t) {
-      const n = t instanceof Error ? t.message : "Sign in failed";
-      return I.error("Sign in error", { error: n, context: "signIn.email" }), e.onError && await e.onError(
-        t instanceof Error ? t : new Error(String(t)),
-        "signIn.email"
-      ), {
-        success: !1,
-        error: "Sign in failed. Please try again.",
-        errorCode: m.UNKNOWN_ERROR
-      };
-    }
-  };
-}
-function tr(e, r) {
-  return async (t) => {
-    if (!t || typeof t != "string")
-      throw new Error("Provider is required");
-    const n = X(t, {
-      maxLength: 50,
-      allowHtml: !1,
-      required: !0
-    });
-    if (!n.valid || !n.sanitized)
-      throw new Error("Invalid provider");
-    const s = n.sanitized.toLowerCase();
-    if (!e.actions.signIn.oauth)
-      throw new Error(
-        "OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config."
-      );
-    const o = await e.actions.signIn.oauth(s);
-    return await r(o.state, s), I.info("OAuth sign in initiated", { provider: s }), o;
-  };
-}
-function nr(e) {
-  return async (r, t) => {
-    if (!r || typeof r != "string")
-      return {
-        success: !1,
-        error: "Email is required",
-        errorCode: m.VALIDATION_ERROR
-      };
-    const n = G(r);
-    if (!K(n))
-      return {
-        success: !1,
-        error: n.error ?? "Invalid email format",
-        errorCode: m.VALIDATION_ERROR
-      };
-    if (t !== void 0 && (typeof t != "string" || t.length < 4 || t.length > 10))
-      return {
-        success: !1,
-        error: "Invalid OTP code format",
-        errorCode: m.VALIDATION_ERROR
-      };
-    if (!e.actions.signIn.otp)
-      return {
-        success: !1,
-        error: "OTP sign in is not configured",
-        errorCode: m.VALIDATION_ERROR
-      };
-    try {
-      const s = await e.actions.signIn.otp(n.sanitized, t);
-      if (D(s)) {
-        const o = await e.saveSessionAfterAuth(s);
-        !o.success && o.warning && I.warn("Session save warning", { warning: o.warning });
-      }
-      return s.success ? I.info("OTP sign in successful", {
-        email: n.sanitized.substring(0, 3) + "***"
-      }) : I.warn("OTP sign in failed", {
-        email: n.sanitized.substring(0, 3) + "***"
-      }), s;
-    } catch (s) {
-      return I.error("OTP sign in error", {
-        error: s instanceof Error ? s.message : "Unknown error",
-        context: "signIn.otp"
-      }), e.onError && await e.onError(
-        s instanceof Error ? s : new Error(String(s)),
-        "signIn.otp"
-      ), {
-        success: !1,
-        error: "OTP sign in failed. Please try again.",
-        errorCode: m.UNKNOWN_ERROR
-      };
-    }
-  };
-}
-function sr(e) {
-  return async (r) => {
-    if (!e.actions.signIn.passkey)
-      throw new Error("PassKey sign in is not configured. Provide passkey action in signIn.");
-    try {
-      const t = await e.actions.signIn.passkey(r);
-      if (D(t)) {
-        const n = await e.saveSessionAfterAuth(t);
-        !n.success && n.warning && I.warn("Session save warning", { warning: n.warning });
-      }
-      return t;
-    } catch (t) {
-      return e.onError && await e.onError(
-        t instanceof Error ? t : new Error(String(t)),
-        "signIn.passkey"
-      ), {
-        success: !1,
-        error: t instanceof Error ? t.message : "PassKey sign in failed"
-      };
-    }
-  };
-}
-function or(e, r) {
-  const t = rr(e), n = tr(e, r), s = nr(e), o = sr(e);
-  return Object.assign(async (u, f) => {
-    if (!u || typeof u != "string")
-      throw new Error("Provider is required");
-    const g = X(u, {
-      maxLength: 50,
-      allowHtml: !1,
-      required: !0
-    });
-    if (!g.valid || !g.sanitized)
-      throw new Error("Invalid provider");
-    const w = g.sanitized.toLowerCase();
-    if (w === "google" || w === "github" || w === "apple" || w === "facebook" || typeof w == "string" && !["credentials", "otp", "passkey"].includes(w))
-      return n(w);
-    if (w === "credentials")
-      return !f || !("email" in f) || !("password" in f) ? {
-        success: !1,
-        error: "Credentials are required",
-        errorCode: m.VALIDATION_ERROR
-      } : t(f);
-    if (w === "otp") {
-      if (!f || !("email" in f))
-        return {
-          success: !1,
-          error: "Email is required",
-          errorCode: m.VALIDATION_ERROR
-        };
-      const R = f;
-      return s(R.email, R.code);
-    }
-    return w === "passkey" ? o(f) : {
-      success: !1,
-      error: "Invalid provider",
-      errorCode: m.VALIDATION_ERROR
-    };
-  }, {
-    email: t,
-    oauth: e.actions.signIn.oauth ? n : void 0,
-    passkey: e.actions.signIn.passkey ? o : void 0,
-    otp: e.actions.signIn.otp ? s : void 0
-  });
-}
-function ir(e) {
-  return async (r) => {
-    if (!e.actions.signUp)
-      throw new Error("Sign up is not configured. Provide signUp action in config.");
-    try {
-      const t = await e.actions.signUp(r);
-      if (D(t)) {
-        const n = await e.saveSessionAfterAuth(t);
-        !n.success && n.warning && I.warn("Session save warning", { warning: n.warning });
-      }
-      return t;
-    } catch (t) {
-      return e.onError && await e.onError(
-        t instanceof Error ? t : new Error(String(t)),
-        "signUp"
-      ), {
-        success: !1,
-        error: t instanceof Error ? t.message : "Sign up failed"
-      };
-    }
-  };
-}
-function ar(e, r) {
-  return async (t, n, s) => {
-    const o = e.oauthProviders[t];
-    if (!o)
-      return {
-        success: !1,
-        error: `OAuth provider "${t}" is not configured`,
-        errorCode: m.VALIDATION_ERROR
-      };
-    try {
-      const i = o.redirectUri ?? `${e.baseUrl}/api/auth/callback/${t}`, a = await be(t, o, n, i), u = await Fe(t, a.access_token), f = {
-        id: u.id,
-        email: u.email,
-        name: u.name,
-        avatar: u.avatar,
-        emailVerified: u.emailVerified,
-        provider: t,
-        accessToken: a.access_token,
-        refreshToken: a.refresh_token,
-        tokens: {
-          access_token: a.access_token,
-          refresh_token: a.refresh_token,
-          expires_in: a.expires_in,
-          token_type: a.token_type,
-          id_token: a.id_token
-        },
-        rawProfile: u.rawProfile
-      };
-      if (e.callbacks.onOAuthUser) {
-        const g = await q(
-          e.callbacks.onOAuthUser,
-          [f, t],
-          e.onError
-        );
-        if (!g)
-          return {
-            success: !1,
-            error: "Failed to create or retrieve user",
-            errorCode: m.VALIDATION_ERROR
-          };
-        const w = e.createSession(g, f, a);
-        return await e.saveSession(w), e.callbacks.onSignIn && await q(
-          e.callbacks.onSignIn,
-          [w.user, w],
-          e.onError
-        ), { success: !0, user: w.user, session: w };
-      }
-      return {
-        success: !1,
-        error: "OAuth user callback not implemented. Provide onOAuthUser callback or implement oauthCallback action.",
-        errorCode: m.VALIDATION_ERROR
-      };
-    } catch (i) {
-      return I.error("OAuth callback failed", { provider: t, error: i }), {
-        success: !1,
-        error: i instanceof Error ? i.message : "OAuth callback failed",
-        errorCode: m.NETWORK_ERROR
-      };
-    }
-  };
-}
-async function q(e, r, t) {
-  if (e)
-    try {
-      return await e(...r);
-    } catch (n) {
-      throw t && await t(
-        n instanceof Error ? n : new Error(String(n)),
-        "callback"
-      ), n;
-    }
-}
-function cr(e, r, t, n) {
-  if (Object.keys(e).length !== 0)
-    return async (s) => {
-      const o = e[s];
-      if (!o)
-        throw new Error(`OAuth provider "${s}" is not configured. Add it to providers.oauth in config.`);
-      if (!o.clientId)
-        throw new Error(`OAuth provider "${s}" is missing clientId`);
-      const i = t();
-      return { url: n(s, o, r, i), state: i };
-    };
-}
-function st(e) {
-  var L, M;
-  const r = {
-    ...Ye(),
-    ...e.session
-  }, t = e.actions, n = e.callbacks || {}, s = ((L = e.providers) == null ? void 0 : L.oauth) || {}, o = Ze(), i = {
-    ...Qe(),
-    ...e.tokenRefresh
-  }, a = ((M = e.session) == null ? void 0 : M.cacheTtl) ?? e.sessionCacheTtl ?? 5e3, u = e.oauthStateStore || Be(), f = { ...t }, g = async (c, l) => {
-    const d = {
-      provider: l,
-      expiresAt: Date.now() + 6e5
-      // 10 minutes
-    };
-    await Promise.resolve(u.set(c, d, 10 * 60 * 1e3)), u.cleanup && await Promise.resolve(u.cleanup());
-  }, w = async (c, l) => {
-    let d = await Promise.resolve(u.get(c));
-    if (!d)
-      try {
-        const { getOAuthStateCookie: v } = await import("../oauth-state-DKle8eCr.mjs").then((P) => P.q), C = await v();
-        if (C && C.state === c && C.provider === l)
-          return !0;
-      } catch {
-      }
-    return d ? d.expiresAt < Date.now() ? (await Promise.resolve(u.delete(c)), !1) : d.provider !== l ? !1 : (await Promise.resolve(u.delete(c)), !0) : !1;
-  }, R = cr(
-    s,
-    o,
-    _e,
-    Ne
-  );
-  if (R && !f.signIn.oauth) {
-    const c = f.signIn;
-    f.signIn = {
-      ...c,
-      oauth: async (l) => {
-        const d = await R(l);
-        return await g(d.state, l), d;
-      }
-    };
-  }
-  if (!f.signIn || !f.signIn.email)
-    throw new Error("mulguard: signIn.email action is required");
-  const A = async (c, ...l) => {
-    if (c)
-      try {
-        return await c(...l);
-      } catch (d) {
-        throw n.onError && await n.onError(d instanceof Error ? d : new Error(String(d)), "callback"), d;
-      }
-  }, S = er({
-    sessionConfig: r,
-    cacheTtl: a,
-    getSessionAction: t.getSession,
-    onSessionExpired: n.onSessionExpired,
-    onError: n.onError
-  }), y = async (c) => {
-    if (!D(c) || !c.session)
-      return { success: !0 };
-    const l = await S.setSession(c.session);
-    return c.user && n.onSignIn && await A(n.onSignIn, c.user, c.session), l;
-  };
-  if (Object.keys(s).length > 0 && !f.oauthCallback) {
-    const c = ar(
-      {
-        oauthProviders: s,
-        baseUrl: o,
-        callbacks: n,
-        createSession: (l, d, v) => ({
-          user: {
-            ...l,
-            avatar: d.avatar,
-            emailVerified: d.emailVerified
-          },
-          expiresAt: new Date(Date.now() + (r.expiresIn || 604800) * 1e3),
-          accessToken: v.access_token,
-          refreshToken: v.refresh_token,
-          tokenType: "Bearer",
-          expiresIn: v.expires_in
-        }),
-        saveSession: async (l) => {
-          await S.setSession(l);
-        },
-        onError: n.onError
-      }
-    );
-    f.oauthCallback = c;
-  }
-  const h = or(
-    {
-      actions: f,
-      callbacks: n,
-      saveSessionAfterAuth: y,
-      onError: n.onError
-    },
-    g
-  ), T = ir({
-    actions: f,
-    callbacks: n,
-    saveSessionAfterAuth: y,
-    onError: n.onError
-  }), _ = {
-    /**
-     * Get current session
-     * Uses custom getSession action if provided, otherwise falls back to reading from cookie
-     */
-    async getSession() {
-      return await S.getSession();
-    },
-    /**
-     * Get access token from current session
-     */
-    async getAccessToken() {
-      return await S.getAccessToken();
-    },
-    /**
-     * Get refresh token from current session
-     */
-    async getRefreshToken() {
-      return await S.getRefreshToken();
-    },
-    /**
-     * Check if session has valid tokens
-     */
-    async hasValidTokens() {
-      return await S.hasValidTokens();
-    },
-    /**
-     * Unified sign in method - supports both unified and direct method calls
-     */
-    signIn: h,
-    /**
-     * Sign up new user
-     */
-    async signUp(c) {
-      if (!T)
-        throw new Error("Sign up is not configured. Provide signUp action in config.");
-      return await T(c);
-    },
-    /**
-     * Sign out
-     */
-    async signOut() {
-      try {
-        const c = await this.getSession(), l = c == null ? void 0 : c.user;
-        return t.signOut && await t.signOut(), await S.clearSessionCookie(), S.clearCache(), l && n.onSignOut && await A(n.onSignOut, l), { success: !0 };
-      } catch (c) {
-        return await S.clearSessionCookie(), S.clearCache(), n.onError && await A(n.onError, c instanceof Error ? c : new Error(String(c)), "signOut"), {
-          success: !1,
-          error: c instanceof Error ? c.message : "Sign out failed"
-        };
-      }
-    },
-    /**
-     * Request password reset
-     */
-    async resetPassword(c) {
-      if (!t.resetPassword)
-        throw new Error("Password reset is not configured. Provide resetPassword action in config.");
-      try {
-        return await t.resetPassword(c);
-      } catch (l) {
-        return n.onError && await A(n.onError, l instanceof Error ? l : new Error(String(l)), "resetPassword"), {
-          success: !1,
-          error: l instanceof Error ? l.message : "Password reset failed"
-        };
-      }
-    },
-    /**
-     * Verify email address
-     */
-    async verifyEmail(c) {
-      if (!t.verifyEmail)
-        throw new Error("Email verification is not configured. Provide verifyEmail action in config.");
-      try {
-        return await t.verifyEmail(c);
-      } catch (l) {
-        return n.onError && await A(n.onError, l instanceof Error ? l : new Error(String(l)), "verifyEmail"), {
-          success: !1,
-          error: l instanceof Error ? l.message : "Email verification failed"
-        };
-      }
-    },
-    /**
-     * Refresh session
-     * Executes custom refreshSession action with improved error handling and callbacks
-     */
-    async refreshSession() {
-      if (!t.refreshSession)
-        return this.getSession();
-      try {
-        const c = await t.refreshSession();
-        if (c && U(c)) {
-          if (await S.setSession(c), n.onSessionUpdate) {
-            const l = await A(n.onSessionUpdate, c);
-            if (l && U(l)) {
-              if (await S.setSession(l), n.onTokenRefresh) {
-                const d = await this.getSession();
-                d && await A(n.onTokenRefresh, d, l);
-              }
-              return l;
-            }
-          }
-          if (n.onTokenRefresh) {
-            const l = await this.getSession();
-            l && await A(n.onTokenRefresh, l, c);
-          }
-          return c;
-        } else if (c && !U(c))
-          return await S.clearSessionCookie(), S.clearCache(), null;
-        return null;
-      } catch (c) {
-        return await S.clearSessionCookie(), S.clearCache(), n.onError && await A(n.onError, c instanceof Error ? c : new Error(String(c)), "refreshSession"), null;
-      }
-    },
-    /**
-     * OAuth callback handler
-     * ✅ Auto-generated if providers.oauth is configured in config
-     */
-    async oauthCallback(c, l, d) {
-      if (!f.oauthCallback)
-        throw new Error(
-          "OAuth callback is not configured. Either provide oauthCallback action, or configure providers.oauth in config."
-        );
-      if (!l || !d)
-        return {
-          success: !1,
-          error: "Missing required OAuth parameters (code or state)",
-          errorCode: m.VALIDATION_ERROR
-        };
-      let v = c;
-      if (!v) {
-        const P = await Promise.resolve(u.get(d));
-        if (P && P.provider)
-          v = P.provider;
-        else
-          return {
-            success: !1,
-            error: "Provider is required and could not be extracted from state",
-            errorCode: m.VALIDATION_ERROR
-          };
-      }
-      if (!await w(d, v))
-        return {
-          success: !1,
-          error: "Invalid or expired state parameter",
-          errorCode: m.VALIDATION_ERROR
-        };
-      try {
-        return await f.oauthCallback(v, l, d);
-      } catch (P) {
-        return n.onError && await A(n.onError, P instanceof Error ? P : new Error(String(P)), "oauthCallback"), {
-          success: !1,
-          error: P instanceof Error ? P.message : "OAuth callback failed",
-          errorCode: m.NETWORK_ERROR
-        };
-      }
-    },
-    /**
-     * Verify 2FA code after initial sign in
-     * Used when signIn returns requires2FA: true
-     */
-    async verify2FA(c, l) {
-      if (!t.verify2FA)
-        throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
-      try {
-        const d = await t.verify2FA(c);
-        if (d.success && d.session && !(l != null && l.skipCookieSave)) {
-          const v = await y(d);
-          v.success || (process.env.NODE_ENV === "development" && I.debug("Failed to save session cookie after verify2FA", {
-            error: v.error,
-            warning: v.warning
-          }), n.onError && await A(
-            n.onError,
-            new Error(v.warning || v.error || "Failed to save session cookie"),
-            "verify2FA.setSession"
-          ));
-        }
-        return d;
-      } catch (d) {
-        return n.onError && await A(n.onError, d instanceof Error ? d : new Error(String(d)), "verify2FA"), {
-          success: !1,
-          error: d instanceof Error ? d.message : "2FA verification failed",
-          errorCode: m.TWO_FA_REQUIRED
-        };
-      }
-    },
-    /**
-     * Set session directly
-     * Useful for Server Actions that need to save session manually
-     */
-    async setSession(c) {
-      return await S.setSession(c);
-    },
-    /**
-     * Internal method to get session config for Server Actions
-     * Used by verify2FAAction to save session cookie directly
-     * @internal
-     */
-    _getSessionConfig() {
-      return S.getSessionConfig();
-    },
-    _getCallbacks() {
-      return n;
-    },
-    /**
-     * Store OAuth state for validation (useful when using external backend API)
-     * This allows storing state generated by backend APIs in mulguard's state store
-     * 
-     * @param state - OAuth state token
-     * @param provider - OAuth provider name
-     */
-    async storeOAuthState(c, l) {
-      await g(c, l);
-    },
-    /**
-     * PassKey methods
-     */
-    passkey: t.passkey ? {
-      register: t.passkey.register,
-      authenticate: async (c) => {
-        var l;
-        if (!((l = t.passkey) != null && l.authenticate))
-          throw new Error("PassKey authenticate is not configured.");
-        try {
-          const d = await t.passkey.authenticate(c);
-          return d.success && d.session && await y(d), d;
-        } catch (d) {
-          return n.onError && await A(n.onError, d instanceof Error ? d : new Error(String(d)), "passkey.authenticate"), {
-            success: !1,
-            error: d instanceof Error ? d.message : "PassKey authentication failed"
-          };
-        }
-      },
-      list: t.passkey.list ? async () => {
-        var l;
-        if (!((l = t.passkey) != null && l.list))
-          throw new Error("PassKey list is not configured.");
-        return [...await t.passkey.list()];
-      } : void 0,
-      remove: t.passkey.remove
-    } : void 0,
-    /**
-     * Two-Factor Authentication methods
-     */
-    twoFactor: t.twoFactor ? {
-      enable: t.twoFactor.enable,
-      verify: t.twoFactor.verify,
-      disable: t.twoFactor.disable,
-      generateBackupCodes: t.twoFactor.generateBackupCodes,
-      isEnabled: t.twoFactor.isEnabled,
-      verify2FA: async (c) => {
-        var d;
-        const l = ((d = t.twoFactor) == null ? void 0 : d.verify2FA) || t.verify2FA;
-        if (!l)
-          throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
-        try {
-          const v = await l(c);
-          if (v.success && v.session) {
-            const C = await y(v);
-            C.success || (process.env.NODE_ENV === "development" && I.debug("Failed to save session cookie after twoFactor.verify2FA", {
-              error: C.error,
-              warning: C.warning
-            }), n.onError && await A(
-              n.onError,
-              new Error(C.warning || C.error || "Failed to save session cookie"),
-              "twoFactor.verify2FA.setSession"
-            ));
-          }
-          return v;
-        } catch (v) {
-          return n.onError && await A(n.onError, v instanceof Error ? v : new Error(String(v)), "twoFactor.verify2FA"), {
-            success: !1,
-            error: v instanceof Error ? v.message : "2FA verification failed",
-            errorCode: m.UNKNOWN_ERROR
-          };
-        }
-      }
-    } : void 0,
-    /**
-     * Sign in methods - alias for signIn (for backward compatibility)
-     */
-    signInMethods: {
-      email: (c) => h.email(c),
-      oauth: (c) => {
-        var l;
-        return ((l = h.oauth) == null ? void 0 : l.call(h, c)) || Promise.reject(new Error("OAuth not configured"));
-      },
-      passkey: (c) => {
-        var l;
-        return ((l = h.passkey) == null ? void 0 : l.call(h, c)) || Promise.reject(new Error("Passkey not configured"));
-      },
-      otp: (c, l) => {
-        var d;
-        return ((d = h.otp) == null ? void 0 : d.call(h, c, l)) || Promise.reject(new Error("OTP not configured"));
-      }
-    }
-  };
-  if (t.refreshSession) {
-    const c = Je(
-      async () => await _.refreshSession(),
-      async () => await _.signOut(),
-      async () => {
-        await S.clearSessionCookie(), S.clearCache();
-      },
-      {
-        ...i,
-        onTokenRefreshed: i.onTokenRefreshed,
-        onTokenRefreshFailed: i.onTokenRefreshFailed,
-        onBeforeRedirect: i.onBeforeRedirect
-      }
-    );
-    _._tokenRefreshManager = c, _._getTokenRefreshManager = () => c;
-  }
-  return _;
-}
-function ot(e) {
-  return {
-    GET: async (r) => B(r, e, "GET"),
-    POST: async (r) => B(r, e, "POST")
-  };
-}
-async function B(e, r, t) {
-  const n = new URL(e.url), s = ur(n.pathname), o = s.split("/").filter(Boolean);
-  try {
-    return t === "GET" ? await lr(e, r, s, o, n) : t === "POST" ? await fr(e, r, s, o, n) : O("Method not allowed", 405);
-  } catch (i) {
-    return O(
-      i instanceof Error ? i.message : "Request failed",
-      500
-    );
-  }
-}
-function ur(e) {
-  return e.replace(/^\/api\/auth/, "") || "/session";
-}
-async function lr(e, r, t, n, s) {
-  if (t === "/session" || t === "/") {
-    const o = await r.getSession();
-    return E.json({ session: o });
-  }
-  return t === "/providers" ? E.json({
-    providers: {
-      email: !!r.signIn.email,
-      oauth: !!r.signIn.oauth,
-      passkey: !!r.signIn.passkey
-    }
-  }) : re(t, n) ? await te(e, r, t, n, s, "GET") : O("Not found", 404);
-}
-async function fr(e, r, t, n, s) {
-  const o = await dr(e);
-  return t === "/sign-in" || n[0] === "sign-in" ? await gr(r, o) : t === "/sign-up" || n[0] === "sign-up" ? await wr(r, o) : t === "/sign-out" || n[0] === "sign-out" ? await pr(r) : t === "/reset-password" || n[0] === "reset-password" ? await mr(r, o) : t === "/verify-email" || n[0] === "verify-email" ? await Er(r, o) : t === "/refresh" || n[0] === "refresh" ? await yr(r) : re(t, n) ? await te(e, r, t, n, s, "POST", o) : t.startsWith("/passkey") ? await vr(r, t, n, o) : t === "/verify-2fa" || n[0] === "verify-2fa" ? await kr(r, o) : t.startsWith("/two-factor") ? await Sr(r, n, o) : O("Not found", 404);
-}
-async function dr(e) {
-  try {
-    return await e.json();
-  } catch {
-    return {};
-  }
-}
-function re(e, r) {
-  return e === "/callback" || e.startsWith("/oauth/callback") || r[0] === "oauth" && r[1] === "callback" || r[0] === "callback";
-}
-async function te(e, r, t, n, s, o, i) {
-  if (!r.oauthCallback)
-    return o === "GET" ? V(e.url, "oauth_not_configured") : O("OAuth callback is not configured", 400);
-  const a = hr(n, s, i), u = (i == null ? void 0 : i.code) ?? s.searchParams.get("code"), f = (i == null ? void 0 : i.state) ?? s.searchParams.get("state");
-  if (!u || !f)
-    return o === "GET" ? V(e.url, "oauth_missing_params") : O("Missing required OAuth parameters. Code and state are required.", 400);
-  try {
-    const g = await r.oauthCallback(a ?? "", u, f);
-    return o === "GET" ? g.success ? Ar(e.url, s.searchParams.get("callbackUrl")) : V(e.url, g.error ?? "oauth_failed") : E.json(g);
-  } catch (g) {
-    return o === "GET" ? V(e.url, g instanceof Error ? g.message : "oauth_error") : O(g instanceof Error ? g.message : "OAuth callback failed", 500);
-  }
-}
-function hr(e, r, t) {
-  return t != null && t.provider ? t.provider : e[0] === "callback" && e[1] ? e[1] : e[0] === "oauth" && e[1] === "callback" && e[2] ? e[2] : r.searchParams.get("provider");
-}
-async function gr(e, r) {
-  if (r.provider === "email" && r.email && r.password) {
-    const t = {
-      email: r.email,
-      password: r.password
-    }, n = await e.signIn.email(t);
-    return E.json(n);
-  }
-  if (r.provider === "oauth" && r.providerName) {
-    if (!e.signIn.oauth)
-      return O("OAuth is not configured", 400);
-    const t = await e.signIn.oauth(r.providerName);
-    return E.json(t);
-  }
-  if (r.provider === "passkey") {
-    if (!e.signIn.passkey)
-      return O("PassKey is not configured", 400);
-    const t = await e.signIn.passkey(r.options);
-    return E.json(t);
-  }
-  return O("Invalid sign in request", 400);
-}
-async function wr(e, r) {
-  if (!e.signUp)
-    return O("Sign up is not configured", 400);
-  const t = await e.signUp(r);
-  return E.json(t);
-}
-async function pr(e) {
-  const r = await e.signOut();
-  return E.json(r);
-}
-async function mr(e, r) {
-  if (!e.resetPassword)
-    return O("Password reset is not configured", 400);
-  if (!r.email || typeof r.email != "string")
-    return O("Email is required", 400);
-  const t = await e.resetPassword(r.email);
-  return E.json(t);
-}
-async function Er(e, r) {
-  if (!e.verifyEmail)
-    return O("Email verification is not configured", 400);
-  if (!r.token || typeof r.token != "string")
-    return O("Token is required", 400);
-  const t = await e.verifyEmail(r.token);
-  return E.json(t);
-}
-async function yr(e) {
-  if (!e.refreshSession) {
-    const t = await e.getSession();
-    return E.json({ session: t });
-  }
-  const r = await e.refreshSession();
-  return E.json({ session: r });
-}
-async function kr(e, r) {
-  if (!e.verify2FA)
-    return O("2FA verification is not configured", 400);
-  if (!r.email || !r.userId || !r.code)
-    return O("Missing required parameters. Email, userId, and code are required.", 400);
-  const t = {
-    email: r.email,
-    userId: r.userId,
-    code: r.code
-  }, n = await e.verify2FA(t);
-  return E.json(n);
-}
-async function vr(e, r, t, n) {
-  if (!e.passkey)
-    return O("PassKey is not configured", 400);
-  const s = t[1];
-  if (s === "register" && e.passkey.register) {
-    const o = await e.passkey.register(n.options);
-    return E.json(o);
-  }
-  if (s === "list" && e.passkey.list) {
-    const o = await e.passkey.list();
-    return E.json(o);
-  }
-  if (s === "remove" && e.passkey.remove) {
-    if (!n.passkeyId || typeof n.passkeyId != "string")
-      return O("Passkey ID is required", 400);
-    const o = await e.passkey.remove(n.passkeyId);
-    return E.json(o);
-  }
-  return O("Invalid Passkey request", 400);
-}
-async function Sr(e, r, t) {
-  if (!e.twoFactor)
-    return O("Two-Factor Authentication is not configured", 400);
-  const n = r[1];
-  if (n === "enable" && e.twoFactor.enable) {
-    const s = await e.twoFactor.enable();
-    return E.json(s);
-  }
-  if (n === "verify" && e.twoFactor.verify) {
-    if (!t.code || typeof t.code != "string")
-      return O("Code is required", 400);
-    const s = await e.twoFactor.verify(t.code);
-    return E.json(s);
-  }
-  if (n === "disable" && e.twoFactor.disable) {
-    const s = await e.twoFactor.disable();
-    return E.json(s);
-  }
-  if (n === "backup-codes" && e.twoFactor.generateBackupCodes) {
-    const s = await e.twoFactor.generateBackupCodes();
-    return E.json(s);
-  }
-  if (n === "is-enabled" && e.twoFactor.isEnabled) {
-    const s = await e.twoFactor.isEnabled();
-    return E.json({ enabled: s });
-  }
-  return O("Invalid two-factor request", 400);
-}
-function O(e, r) {
-  return E.json(
-    {
-      success: !1,
-      error: e
-    },
-    { status: r }
-  );
-}
-function V(e, r) {
-  return E.redirect(new URL(`/login?error=${encodeURIComponent(r)}`, e));
-}
-function Ar(e, r) {
-  const t = r ?? "/";
-  return E.redirect(new URL(t, e));
-}
-function it(e) {
-  return async (r) => {
-    const { method: t, nextUrl: n } = r, o = n.pathname.replace(/^\/api\/auth/, "") || "/";
-    try {
-      let i;
-      if (t !== "GET" && t !== "HEAD")
-        try {
-          i = await r.json();
-        } catch {
-        }
-      const a = Object.fromEntries(n.searchParams.entries()), u = await fetch(
-        `${process.env.NEXT_PUBLIC_API_URL || ""}/api/auth${o}${Object.keys(a).length > 0 ? `?${new URLSearchParams(a).toString()}` : ""}`,
-        {
-          method: t,
-          headers: {
-            "Content-Type": "application/json",
-            ...Object.fromEntries(r.headers.entries())
-          },
-          body: i ? JSON.stringify(i) : void 0
-        }
-      ), f = await u.json();
-      return E.json(f, {
-        status: u.status,
-        headers: {
-          ...Object.fromEntries(u.headers.entries())
-        }
-      });
-    } catch (i) {
-      return console.error("API handler error:", i), E.json(
-        {
-          success: !1,
-          error: i instanceof Error ? i.message : "Internal server error"
-        },
-        { status: 500 }
-      );
-    }
-  };
-}
-function at(e) {
-  return async (r) => {
-    const { searchParams: t } = r.nextUrl, n = t.get("provider"), s = t.get("code"), o = t.get("state");
-    if (!n || !s || !o)
-      return E.redirect(
-        new URL("/login?error=oauth_missing_params", r.url)
-      );
-    try {
-      if (!e.oauthCallback)
-        return E.redirect(
-          new URL("/login?error=oauth_not_configured", r.url)
-        );
-      const i = await e.oauthCallback(n, s, o);
-      if (i.success) {
-        const a = t.get("callbackUrl") || "/";
-        return E.redirect(new URL(a, r.url));
-      } else {
-        const a = i.errorCode ? `${encodeURIComponent(i.error || "oauth_failed")}&code=${i.errorCode}` : encodeURIComponent(i.error || "oauth_failed");
-        return E.redirect(
-          new URL(`/login?error=${a}`, r.url)
-        );
-      }
-    } catch (i) {
-      return process.env.NODE_ENV === "development" && console.error("[Mulguard] OAuth callback error:", i), E.redirect(
-        new URL(
-          `/login?error=${encodeURIComponent(i instanceof Error ? i.message : "oauth_error")}`,
-          r.url
-        )
-      );
-    }
-  };
-}
-function F(e, r) {
-  const t = H({
-    // Customize headers if needed
-    "X-Frame-Options": "SAMEORIGIN"
-    // Allow same-origin framing
-  });
-  for (const [n, s] of Object.entries(t))
-    s && typeof s == "string" && r.headers.set(n, s);
-  return r;
-}
-function ct() {
-  return async (e) => {
-    const r = E.next();
-    return F(e, r);
-  };
-}
-function ut(e, r = {}) {
-  const {
-    protectedRoutes: t = [],
-    publicRoutes: n = [],
-    redirectTo: s = "/login",
-    redirectIfAuthenticated: o
-  } = r;
-  return async (i) => {
-    const { pathname: a } = i.nextUrl, u = t.some((w) => a.startsWith(w));
-    let f = null;
-    try {
-      f = await e.getSession();
-    } catch (w) {
-      console.error("Middleware: Failed to get session:", w);
-    }
-    if (u && !f) {
-      const w = i.nextUrl.clone();
-      return w.pathname = s, w.searchParams.set("callbackUrl", a), E.redirect(w);
-    }
-    if (o && f && (a.startsWith("/login") || a.startsWith("/register"))) {
-      const R = i.nextUrl.clone();
-      R.pathname = o;
-      const A = E.redirect(R);
-      return F(i, A);
-    }
-    const g = E.next();
-    return F(i, g);
-  };
-}
-async function lt(e, r) {
-  var t;
-  try {
-    const n = await e.getSession();
-    return n ? ((t = n.user.roles) == null ? void 0 : t.includes(r)) ?? !1 : !1;
-  } catch {
-    return !1;
-  }
-}
-function ft(e) {
-  const {
-    auth: r,
-    protectedRoutes: t = [],
-    publicRoutes: n = [],
-    redirectTo: s = "/login",
-    redirectIfAuthenticated: o,
-    apiPrefix: i = "/api/auth"
-  } = e;
-  return async (a) => {
-    const { pathname: u } = a.nextUrl;
-    if (u.startsWith(i)) {
-      const R = E.next();
-      return F(a, R);
-    }
-    const f = t.some((R) => u.startsWith(R));
-    let g = null;
-    if (f || o)
-      try {
-        g = await r.getSession();
-      } catch (R) {
-        console.error("Middleware: Failed to get session:", R);
-      }
-    if (f && !g) {
-      const R = a.nextUrl.clone();
-      R.pathname = s, R.searchParams.set("callbackUrl", u);
-      const A = E.redirect(R);
-      return F(a, A);
-    }
-    if (o && g && (u.startsWith("/login") || u.startsWith("/register"))) {
-      const A = a.nextUrl.clone();
-      A.pathname = o;
-      const S = E.redirect(A);
-      return F(a, S);
-    }
-    const w = E.next();
-    return F(a, w);
-  };
-}
-async function dt(e, r) {
-  var t;
-  try {
-    const n = await e.getSession();
-    return n ? ((t = n.user.roles) == null ? void 0 : t.includes(r)) ?? !1 : !1;
-  } catch {
-    return !1;
-  }
-}
-export {
-  Te as CSRFProtection,
-  fe as DEFAULT_SECURITY_HEADERS,
-  Oe as MemoryCSRFStore,
-  qe as MemoryOAuthStateStore,
-  le as RateLimiter,
-  Pr as applySecurityHeaders,
-  ie as buildCookieOptions,
-  Ne as buildOAuthAuthorizationUrl,
-  lt as checkRole,
-  dt as checkRoleProxy,
-  $r as containsXSSPattern,
-  it as createApiHandler,
-  ut as createAuthMiddleware,
-  Vr as createCSRFProtection,
-  We as createCookieOAuthStateStore,
-  Be as createMemoryOAuthStateStore,
-  tt as createNextJsCookieOAuthStateStore,
-  at as createOAuthCallbackHandler,
-  ft as createProxyMiddleware,
-  _r as createRateLimiter,
-  nt as createRedisOAuthStateStore,
-  ct as createSecurityMiddleware,
-  kt as createServerAuthMiddleware,
-  vt as createServerHelpers,
-  St as createServerUtils,
-  At as createSessionManager,
-  oe as deleteCookie,
-  Rt as deleteOAuthStateCookie,
-  Ie as escapeHTML,
-  be as exchangeOAuthCode,
-  _e as generateCSRFToken,
-  Y as generateToken,
-  ce as getCookie,
-  Ot as getCurrentUser,
-  Kr as getErrorCode,
-  Gr as getErrorMessage,
-  Tt as getOAuthStateCookie,
-  Fe as getOAuthUserInfo,
-  j as getProviderMetadata,
-  H as getSecurityHeaders,
-  It as getServerSession,
-  _t as getSessionTimeUntilExpiry,
-  Qr as getUserFriendlyError,
-  Jr as hasErrorCode,
-  Ce as isAuthError,
-  Xr as isAuthSuccess,
-  rt as isOAuthProviderConfig,
-  Yr as isRetryableError,
-  Pt as isSessionExpiredNullable,
-  Ct as isSessionExpiringSoon,
-  Nt as isSessionValid,
-  et as isSupportedProvider,
-  Hr as isTwoFactorRequired,
-  Wr as isValidCSRFToken,
-  Br as isValidEmail,
-  Mr as isValidInput,
-  Ur as isValidName,
-  Nr as isValidPassword,
-  Lr as isValidToken,
-  xr as isValidURL,
-  st as mulguard,
-  bt as refreshSession,
-  Ut as requireAuth,
-  Ft as requireRole,
-  xt as requireServerAuthMiddleware,
-  Dt as requireServerRoleMiddleware,
-  jr as sanitizeHTML,
-  qr as sanitizeInput,
-  zr as sanitizeUserInput,
-  ae as setCookie,
-  Zr as signIn,
-  wt as signInEmailAction,
-  pt as signOutAction,
-  mt as signUpAction,
-  Lt as storeOAuthStateCookie,
-  ot as toNextJsHandler,
-  G as validateAndSanitizeEmail,
-  X as validateAndSanitizeInput,
-  br as validateAndSanitizeName,
-  Cr as validateAndSanitizePassword,
-  Q as validateCSRFToken,
-  U as validateSessionStructure,
-  Dr as validateToken,
-  Fr as validateURL,
-  Et as verify2FAAction,
-  F as withSecurityHeaders
-};