npm - mulguard - Versions diffs - 1.1.7 → 1.1.9 - Mend

mulguard 1.1.7 → 1.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (546) hide show

package/LICENSE +3 -3
package/README.md +21 -582
package/adapters.d.ts +2 -0
package/adapters.d.ts.map +1 -0
package/adapters.js +1 -0
package/index.d.ts +329 -0
package/index.d.ts.map +1 -0
package/index.js +145 -0
package/jwt.d.ts +9 -0
package/jwt.d.ts.map +1 -0
package/jwt.js +8 -0
package/lib/actions.d.ts +13 -0
package/lib/actions.d.ts.map +1 -0
package/lib/actions.js +86 -0
package/lib/client.d.ts +104 -0
package/lib/client.d.ts.map +1 -0
package/lib/client.js +95 -0
package/lib/env.d.ts +12 -0
package/lib/env.d.ts.map +1 -0
package/lib/env.js +38 -0
package/lib/index.d.ts +56 -0
package/lib/index.d.ts.map +1 -0
package/lib/index.js +187 -0
package/lib/types.d.ts +24 -0
package/lib/types.d.ts.map +1 -0
package/lib/types.js +1 -0
package/middleware.d.ts +9 -0
package/middleware.d.ts.map +1 -0
package/middleware.js +12 -0
package/next.d.ts +9 -0
package/next.d.ts.map +1 -0
package/next.js +12 -0
package/package.json +93 -102
package/providers/42-school.d.ts +3 -0
package/providers/42-school.d.ts.map +1 -0
package/providers/42-school.js +2 -0
package/providers/apple.d.ts +3 -0
package/providers/apple.d.ts.map +1 -0
package/providers/apple.js +2 -0
package/providers/asgardeo.d.ts +3 -0
package/providers/asgardeo.d.ts.map +1 -0
package/providers/asgardeo.js +2 -0
package/providers/atlassian.d.ts +3 -0
package/providers/atlassian.d.ts.map +1 -0
package/providers/atlassian.js +2 -0
package/providers/auth0.d.ts +3 -0
package/providers/auth0.d.ts.map +1 -0
package/providers/auth0.js +2 -0
package/providers/authentik.d.ts +3 -0
package/providers/authentik.d.ts.map +1 -0
package/providers/authentik.js +2 -0
package/providers/azure-ad-b2c.d.ts +3 -0
package/providers/azure-ad-b2c.d.ts.map +1 -0
package/providers/azure-ad-b2c.js +2 -0
package/providers/azure-ad.d.ts +3 -0
package/providers/azure-ad.d.ts.map +1 -0
package/providers/azure-ad.js +2 -0
package/providers/azure-devops.d.ts +3 -0
package/providers/azure-devops.d.ts.map +1 -0
package/providers/azure-devops.js +2 -0
package/providers/bankid-no.d.ts +3 -0
package/providers/bankid-no.d.ts.map +1 -0
package/providers/bankid-no.js +2 -0
package/providers/battlenet.d.ts +3 -0
package/providers/battlenet.d.ts.map +1 -0
package/providers/battlenet.js +2 -0
package/providers/beyondidentity.d.ts +3 -0
package/providers/beyondidentity.d.ts.map +1 -0
package/providers/beyondidentity.js +2 -0
package/providers/bitbucket.d.ts +3 -0
package/providers/bitbucket.d.ts.map +1 -0
package/providers/bitbucket.js +2 -0
package/providers/box.d.ts +3 -0
package/providers/box.d.ts.map +1 -0
package/providers/box.js +2 -0
package/providers/boxyhq-saml.d.ts +3 -0
package/providers/boxyhq-saml.d.ts.map +1 -0
package/providers/boxyhq-saml.js +2 -0
package/providers/bungie.d.ts +3 -0
package/providers/bungie.d.ts.map +1 -0
package/providers/bungie.js +2 -0
package/providers/click-up.d.ts +3 -0
package/providers/click-up.d.ts.map +1 -0
package/providers/click-up.js +2 -0
package/providers/cognito.d.ts +3 -0
package/providers/cognito.d.ts.map +1 -0
package/providers/cognito.js +2 -0
package/providers/coinbase.d.ts +3 -0
package/providers/coinbase.d.ts.map +1 -0
package/providers/coinbase.js +2 -0
package/providers/concept2.d.ts +3 -0
package/providers/concept2.d.ts.map +1 -0
package/providers/concept2.js +2 -0
package/providers/credentials.d.ts +3 -0
package/providers/credentials.d.ts.map +1 -0
package/providers/credentials.js +2 -0
package/providers/descope.d.ts +3 -0
package/providers/descope.d.ts.map +1 -0
package/providers/descope.js +2 -0
package/providers/discord.d.ts +3 -0
package/providers/discord.d.ts.map +1 -0
package/providers/discord.js +2 -0
package/providers/dribbble.d.ts +3 -0
package/providers/dribbble.d.ts.map +1 -0
package/providers/dribbble.js +2 -0
package/providers/dropbox.d.ts +3 -0
package/providers/dropbox.d.ts.map +1 -0
package/providers/dropbox.js +2 -0
package/providers/duende-identity-server6.d.ts +3 -0
package/providers/duende-identity-server6.d.ts.map +1 -0
package/providers/duende-identity-server6.js +2 -0
package/providers/email.d.ts +3 -0
package/providers/email.d.ts.map +1 -0
package/providers/email.js +2 -0
package/providers/eventbrite.d.ts +3 -0
package/providers/eventbrite.d.ts.map +1 -0
package/providers/eventbrite.js +2 -0
package/providers/eveonline.d.ts +3 -0
package/providers/eveonline.d.ts.map +1 -0
package/providers/eveonline.js +2 -0
package/providers/facebook.d.ts +3 -0
package/providers/facebook.d.ts.map +1 -0
package/providers/facebook.js +2 -0
package/providers/faceit.d.ts +3 -0
package/providers/faceit.d.ts.map +1 -0
package/providers/faceit.js +2 -0
package/providers/figma.d.ts +3 -0
package/providers/figma.d.ts.map +1 -0
package/providers/figma.js +2 -0
package/providers/forwardemail.d.ts +3 -0
package/providers/forwardemail.d.ts.map +1 -0
package/providers/forwardemail.js +2 -0
package/providers/foursquare.d.ts +3 -0
package/providers/foursquare.d.ts.map +1 -0
package/providers/foursquare.js +2 -0
package/providers/freshbooks.d.ts +3 -0
package/providers/freshbooks.d.ts.map +1 -0
package/providers/freshbooks.js +2 -0
package/providers/frontegg.d.ts +3 -0
package/providers/frontegg.d.ts.map +1 -0
package/providers/frontegg.js +2 -0
package/providers/fusionauth.d.ts +3 -0
package/providers/fusionauth.d.ts.map +1 -0
package/providers/fusionauth.js +2 -0
package/providers/github.d.ts +3 -0
package/providers/github.d.ts.map +1 -0
package/providers/github.js +2 -0
package/providers/gitlab.d.ts +3 -0
package/providers/gitlab.d.ts.map +1 -0
package/providers/gitlab.js +2 -0
package/providers/google.d.ts +3 -0
package/providers/google.d.ts.map +1 -0
package/providers/google.js +2 -0
package/providers/hubspot.d.ts +3 -0
package/providers/hubspot.d.ts.map +1 -0
package/providers/hubspot.js +2 -0
package/providers/huggingface.d.ts +3 -0
package/providers/huggingface.d.ts.map +1 -0
package/providers/huggingface.js +2 -0
package/providers/identity-server4.d.ts +3 -0
package/providers/identity-server4.d.ts.map +1 -0
package/providers/identity-server4.js +2 -0
package/providers/index.d.ts +2 -0
package/providers/index.d.ts.map +1 -0
package/providers/index.js +1 -0
package/providers/instagram.d.ts +3 -0
package/providers/instagram.d.ts.map +1 -0
package/providers/instagram.js +2 -0
package/providers/kakao.d.ts +3 -0
package/providers/kakao.d.ts.map +1 -0
package/providers/kakao.js +2 -0
package/providers/keycloak.d.ts +3 -0
package/providers/keycloak.d.ts.map +1 -0
package/providers/keycloak.js +2 -0
package/providers/kinde.d.ts +3 -0
package/providers/kinde.d.ts.map +1 -0
package/providers/kinde.js +2 -0
package/providers/line.d.ts +3 -0
package/providers/line.d.ts.map +1 -0
package/providers/line.js +2 -0
package/providers/linkedin.d.ts +3 -0
package/providers/linkedin.d.ts.map +1 -0
package/providers/linkedin.js +2 -0
package/providers/logto.d.ts +3 -0
package/providers/logto.d.ts.map +1 -0
package/providers/logto.js +2 -0
package/providers/loops.d.ts +3 -0
package/providers/loops.d.ts.map +1 -0
package/providers/loops.js +2 -0
package/providers/mailchimp.d.ts +3 -0
package/providers/mailchimp.d.ts.map +1 -0
package/providers/mailchimp.js +2 -0
package/providers/mailgun.d.ts +3 -0
package/providers/mailgun.d.ts.map +1 -0
package/providers/mailgun.js +2 -0
package/providers/mailru.d.ts +3 -0
package/providers/mailru.d.ts.map +1 -0
package/providers/mailru.js +2 -0
package/providers/mastodon.d.ts +3 -0
package/providers/mastodon.d.ts.map +1 -0
package/providers/mastodon.js +2 -0
package/providers/mattermost.d.ts +3 -0
package/providers/mattermost.d.ts.map +1 -0
package/providers/mattermost.js +2 -0
package/providers/medium.d.ts +3 -0
package/providers/medium.d.ts.map +1 -0
package/providers/medium.js +2 -0
package/providers/microsoft-entra-id.d.ts +3 -0
package/providers/microsoft-entra-id.d.ts.map +1 -0
package/providers/microsoft-entra-id.js +2 -0
package/providers/naver.d.ts +3 -0
package/providers/naver.d.ts.map +1 -0
package/providers/naver.js +2 -0
package/providers/netlify.d.ts +3 -0
package/providers/netlify.d.ts.map +1 -0
package/providers/netlify.js +2 -0
package/providers/netsuite.d.ts +3 -0
package/providers/netsuite.d.ts.map +1 -0
package/providers/netsuite.js +2 -0
package/providers/nextcloud.d.ts +3 -0
package/providers/nextcloud.d.ts.map +1 -0
package/providers/nextcloud.js +2 -0
package/providers/nodemailer.d.ts +3 -0
package/providers/nodemailer.d.ts.map +1 -0
package/providers/nodemailer.js +2 -0
package/providers/notion.d.ts +3 -0
package/providers/notion.d.ts.map +1 -0
package/providers/notion.js +2 -0
package/providers/okta.d.ts +3 -0
package/providers/okta.d.ts.map +1 -0
package/providers/okta.js +2 -0
package/providers/onelogin.d.ts +3 -0
package/providers/onelogin.d.ts.map +1 -0
package/providers/onelogin.js +2 -0
package/providers/ory-hydra.d.ts +3 -0
package/providers/ory-hydra.d.ts.map +1 -0
package/providers/ory-hydra.js +2 -0
package/providers/osso.d.ts +3 -0
package/providers/osso.d.ts.map +1 -0
package/providers/osso.js +2 -0
package/providers/osu.d.ts +3 -0
package/providers/osu.d.ts.map +1 -0
package/providers/osu.js +2 -0
package/providers/passage.d.ts +3 -0
package/providers/passage.d.ts.map +1 -0
package/providers/passage.js +2 -0
package/providers/passkey.d.ts +3 -0
package/providers/passkey.d.ts.map +1 -0
package/providers/passkey.js +2 -0
package/providers/patreon.d.ts +3 -0
package/providers/patreon.d.ts.map +1 -0
package/providers/patreon.js +2 -0
package/providers/ping-id.d.ts +3 -0
package/providers/ping-id.d.ts.map +1 -0
package/providers/ping-id.js +2 -0
package/providers/pinterest.d.ts +3 -0
package/providers/pinterest.d.ts.map +1 -0
package/providers/pinterest.js +2 -0
package/providers/pipedrive.d.ts +3 -0
package/providers/pipedrive.d.ts.map +1 -0
package/providers/pipedrive.js +2 -0
package/providers/postmark.d.ts +3 -0
package/providers/postmark.d.ts.map +1 -0
package/providers/postmark.js +2 -0
package/providers/reddit.d.ts +3 -0
package/providers/reddit.d.ts.map +1 -0
package/providers/reddit.js +2 -0
package/providers/resend.d.ts +3 -0
package/providers/resend.d.ts.map +1 -0
package/providers/resend.js +2 -0
package/providers/roblox.d.ts +3 -0
package/providers/roblox.d.ts.map +1 -0
package/providers/roblox.js +2 -0
package/providers/salesforce.d.ts +3 -0
package/providers/salesforce.d.ts.map +1 -0
package/providers/salesforce.js +2 -0
package/providers/sendgrid.d.ts +3 -0
package/providers/sendgrid.d.ts.map +1 -0
package/providers/sendgrid.js +2 -0
package/providers/simplelogin.d.ts +3 -0
package/providers/simplelogin.d.ts.map +1 -0
package/providers/simplelogin.js +2 -0
package/providers/slack.d.ts +3 -0
package/providers/slack.d.ts.map +1 -0
package/providers/slack.js +2 -0
package/providers/spotify.d.ts +3 -0
package/providers/spotify.d.ts.map +1 -0
package/providers/spotify.js +2 -0
package/providers/strava.d.ts +3 -0
package/providers/strava.d.ts.map +1 -0
package/providers/strava.js +2 -0
package/providers/threads.d.ts +3 -0
package/providers/threads.d.ts.map +1 -0
package/providers/threads.js +2 -0
package/providers/tiktok.d.ts +3 -0
package/providers/tiktok.d.ts.map +1 -0
package/providers/tiktok.js +2 -0
package/providers/todoist.d.ts +3 -0
package/providers/todoist.d.ts.map +1 -0
package/providers/todoist.js +2 -0
package/providers/trakt.d.ts +3 -0
package/providers/trakt.d.ts.map +1 -0
package/providers/trakt.js +2 -0
package/providers/twitch.d.ts +3 -0
package/providers/twitch.d.ts.map +1 -0
package/providers/twitch.js +2 -0
package/providers/twitter.d.ts +3 -0
package/providers/twitter.d.ts.map +1 -0
package/providers/twitter.js +2 -0
package/providers/united-effects.d.ts +3 -0
package/providers/united-effects.d.ts.map +1 -0
package/providers/united-effects.js +2 -0
package/providers/vipps.d.ts +3 -0
package/providers/vipps.d.ts.map +1 -0
package/providers/vipps.js +2 -0
package/providers/vk.d.ts +3 -0
package/providers/vk.d.ts.map +1 -0
package/providers/vk.js +2 -0
package/providers/webauthn.d.ts +3 -0
package/providers/webauthn.d.ts.map +1 -0
package/providers/webauthn.js +2 -0
package/providers/webex.d.ts +3 -0
package/providers/webex.d.ts.map +1 -0
package/providers/webex.js +2 -0
package/providers/wechat.d.ts +3 -0
package/providers/wechat.d.ts.map +1 -0
package/providers/wechat.js +2 -0
package/providers/wikimedia.d.ts +3 -0
package/providers/wikimedia.d.ts.map +1 -0
package/providers/wikimedia.js +2 -0
package/providers/wordpress.d.ts +3 -0
package/providers/wordpress.d.ts.map +1 -0
package/providers/wordpress.js +2 -0
package/providers/workos.d.ts +3 -0
package/providers/workos.d.ts.map +1 -0
package/providers/workos.js +2 -0
package/providers/yandex.d.ts +3 -0
package/providers/yandex.d.ts.map +1 -0
package/providers/yandex.js +2 -0
package/providers/zitadel.d.ts +3 -0
package/providers/zitadel.d.ts.map +1 -0
package/providers/zitadel.js +2 -0
package/providers/zoho.d.ts +3 -0
package/providers/zoho.d.ts.map +1 -0
package/providers/zoho.js +2 -0
package/providers/zoom.d.ts +3 -0
package/providers/zoom.d.ts.map +1 -0
package/providers/zoom.js +2 -0
package/react.d.ts +102 -0
package/react.d.ts.map +1 -0
package/react.js +361 -0
package/src/adapters.ts +1 -0
package/src/index.ts +430 -0
package/src/jwt.ts +9 -0
package/src/lib/actions.ts +144 -0
package/src/lib/client.ts +245 -0
package/src/lib/env.ts +36 -0
package/src/lib/index.ts +313 -0
package/src/lib/types.ts +30 -0
package/src/middleware.ts +16 -0
package/src/next.ts +16 -0
package/src/providers/42-school.ts +2 -0
package/src/providers/apple.ts +2 -0
package/src/providers/asgardeo.ts +2 -0
package/src/providers/atlassian.ts +2 -0
package/src/providers/auth0.ts +2 -0
package/src/providers/authentik.ts +2 -0
package/src/providers/azure-ad-b2c.ts +2 -0
package/src/providers/azure-ad.ts +2 -0
package/src/providers/azure-devops.ts +2 -0
package/src/providers/bankid-no.ts +2 -0
package/src/providers/battlenet.ts +2 -0
package/src/providers/beyondidentity.ts +2 -0
package/src/providers/bitbucket.ts +2 -0
package/src/providers/box.ts +2 -0
package/src/providers/boxyhq-saml.ts +2 -0
package/src/providers/bungie.ts +2 -0
package/src/providers/click-up.ts +2 -0
package/src/providers/cognito.ts +2 -0
package/src/providers/coinbase.ts +2 -0
package/src/providers/concept2.ts +2 -0
package/src/providers/credentials.ts +2 -0
package/src/providers/descope.ts +2 -0
package/src/providers/discord.ts +2 -0
package/src/providers/dribbble.ts +2 -0
package/src/providers/dropbox.ts +2 -0
package/src/providers/duende-identity-server6.ts +2 -0
package/src/providers/email.ts +2 -0
package/src/providers/eventbrite.ts +2 -0
package/src/providers/eveonline.ts +2 -0
package/src/providers/facebook.ts +2 -0
package/src/providers/faceit.ts +2 -0
package/src/providers/figma.ts +2 -0
package/src/providers/forwardemail.ts +2 -0
package/src/providers/foursquare.ts +2 -0
package/src/providers/freshbooks.ts +2 -0
package/src/providers/frontegg.ts +2 -0
package/src/providers/fusionauth.ts +2 -0
package/src/providers/github.ts +2 -0
package/src/providers/gitlab.ts +2 -0
package/src/providers/google.ts +2 -0
package/src/providers/hubspot.ts +2 -0
package/src/providers/huggingface.ts +2 -0
package/src/providers/identity-server4.ts +2 -0
package/src/providers/index.ts +1 -0
package/src/providers/instagram.ts +2 -0
package/src/providers/kakao.ts +2 -0
package/src/providers/keycloak.ts +2 -0
package/src/providers/kinde.ts +2 -0
package/src/providers/line.ts +2 -0
package/src/providers/linkedin.ts +2 -0
package/src/providers/logto.ts +2 -0
package/src/providers/loops.ts +2 -0
package/src/providers/mailchimp.ts +2 -0
package/src/providers/mailgun.ts +2 -0
package/src/providers/mailru.ts +2 -0
package/src/providers/mastodon.ts +2 -0
package/src/providers/mattermost.ts +2 -0
package/src/providers/medium.ts +2 -0
package/src/providers/microsoft-entra-id.ts +2 -0
package/src/providers/naver.ts +2 -0
package/src/providers/netlify.ts +2 -0
package/src/providers/netsuite.ts +2 -0
package/src/providers/nextcloud.ts +2 -0
package/src/providers/nodemailer.ts +2 -0
package/src/providers/notion.ts +2 -0
package/src/providers/okta.ts +2 -0
package/src/providers/onelogin.ts +2 -0
package/src/providers/ory-hydra.ts +2 -0
package/src/providers/osso.ts +2 -0
package/src/providers/osu.ts +2 -0
package/src/providers/passage.ts +2 -0
package/src/providers/passkey.ts +2 -0
package/src/providers/patreon.ts +2 -0
package/src/providers/ping-id.ts +2 -0
package/src/providers/pinterest.ts +2 -0
package/src/providers/pipedrive.ts +2 -0
package/src/providers/postmark.ts +2 -0
package/src/providers/reddit.ts +2 -0
package/src/providers/resend.ts +2 -0
package/src/providers/roblox.ts +2 -0
package/src/providers/salesforce.ts +2 -0
package/src/providers/sendgrid.ts +2 -0
package/src/providers/simplelogin.ts +2 -0
package/src/providers/slack.ts +2 -0
package/src/providers/spotify.ts +2 -0
package/src/providers/strava.ts +2 -0
package/src/providers/threads.ts +2 -0
package/src/providers/tiktok.ts +2 -0
package/src/providers/todoist.ts +2 -0
package/src/providers/trakt.ts +2 -0
package/src/providers/twitch.ts +2 -0
package/src/providers/twitter.ts +2 -0
package/src/providers/united-effects.ts +2 -0
package/src/providers/vipps.ts +2 -0
package/src/providers/vk.ts +2 -0
package/src/providers/webauthn.ts +2 -0
package/src/providers/webex.ts +2 -0
package/src/providers/wechat.ts +2 -0
package/src/providers/wikimedia.ts +2 -0
package/src/providers/wordpress.ts +2 -0
package/src/providers/workos.ts +2 -0
package/src/providers/yandex.ts +2 -0
package/src/providers/zitadel.ts +2 -0
package/src/providers/zoho.ts +2 -0
package/src/providers/zoom.ts +2 -0
package/src/react.tsx +546 -0
package/src/webauthn.ts +152 -0
package/webauthn.d.ts +9 -0
package/webauthn.d.ts.map +1 -0
package/webauthn.js +92 -0
package/dist/actions-CMtg7FGv.js +0 -1
package/dist/actions-CjQUKaXF.mjs +0 -200
package/dist/client/index.js +0 -1
package/dist/client/index.mjs +0 -484
package/dist/components/AccountPicker.d.ts +0 -11
package/dist/components/OAuthButton.d.ts +0 -11
package/dist/components/PassKeyButton.d.ts +0 -11
package/dist/components/PassKeyRegister.d.ts +0 -10
package/dist/components/TwoFactorSetup.d.ts +0 -8
package/dist/components/TwoFactorVerify.d.ts +0 -9
package/dist/core/account-picker/encryption.d.ts +0 -22
package/dist/core/account-picker/index.d.ts +0 -22
package/dist/core/auth/email-password.d.ts +0 -145
package/dist/core/auth/oauth/index.d.ts +0 -14
package/dist/core/auth/oauth/oauth-handler.d.ts +0 -172
package/dist/core/auth/oauth/pkce.d.ts +0 -168
package/dist/core/auth/oauth/providers.d.ts +0 -198
package/dist/core/auth/oauth/state-store-cookie.d.ts +0 -83
package/dist/core/auth/oauth/state-store-redis.d.ts +0 -25
package/dist/core/auth/oauth/state-store.d.ts +0 -48
package/dist/core/auth/otp.d.ts +0 -184
package/dist/core/auth/passkey.d.ts +0 -35
package/dist/core/auth/password.d.ts +0 -22
package/dist/core/auth/signin-unified.d.ts +0 -33
package/dist/core/auth/two-factor.d.ts +0 -28
package/dist/core/client/index.d.ts +0 -132
package/dist/core/client/token-refresh-manager.d.ts +0 -48
package/dist/core/errors/index.d.ts +0 -269
package/dist/core/index.d.ts +0 -9
package/dist/core/logger/index.d.ts +0 -147
package/dist/core/mulguard/auth-handlers.d.ts +0 -100
package/dist/core/mulguard/defaults.d.ts +0 -58
package/dist/core/mulguard/index.d.ts +0 -9
package/dist/core/mulguard/integration.d.ts +0 -104
package/dist/core/mulguard/oauth-handler.d.ts +0 -93
package/dist/core/mulguard/session-manager.d.ts +0 -94
package/dist/core/security/csrf.d.ts +0 -46
package/dist/core/security/headers.d.ts +0 -24
package/dist/core/security/index.d.ts +0 -132
package/dist/core/security/rate-limit.d.ts +0 -39
package/dist/core/security/security-manager.d.ts +0 -236
package/dist/core/security/validation.d.ts +0 -251
package/dist/core/security/xss.d.ts +0 -20
package/dist/core/session/index.d.ts +0 -35
package/dist/core/session/session-manager.d.ts +0 -235
package/dist/core/types/auth.d.ts +0 -290
package/dist/core/types/errors.d.ts +0 -200
package/dist/core/types/index.d.ts +0 -484
package/dist/core/utils/auth-helpers.d.ts +0 -136
package/dist/core/utils/logger.d.ts +0 -121
package/dist/index/index.js +0 -1
package/dist/index/index.mjs +0 -2736
package/dist/index.d.ts +0 -18
package/dist/mulguard.d.ts +0 -373
package/dist/nextjs/client/hooks.d.ts +0 -122
package/dist/nextjs/client/index.d.ts +0 -13
package/dist/nextjs/client/provider.d.ts +0 -69
package/dist/nextjs/client/server-actions-helper.d.ts +0 -22
package/dist/nextjs/handlers/api.d.ts +0 -10
package/dist/nextjs/handlers/index.d.ts +0 -9
package/dist/nextjs/handlers/route.d.ts +0 -76
package/dist/nextjs/index.d.ts +0 -15
package/dist/nextjs/proxy/index.d.ts +0 -149
package/dist/nextjs/proxy/security.d.ts +0 -9
package/dist/nextjs/server/actions.d.ts +0 -30
package/dist/nextjs/server/auth.d.ts +0 -65
package/dist/nextjs/server/cookies.d.ts +0 -41
package/dist/nextjs/server/index.d.ts +0 -18
package/dist/nextjs/server/oauth-state.d.ts +0 -32
package/dist/nextjs/server/session-helpers.d.ts +0 -24
package/dist/nextjs/server/session.d.ts +0 -144
package/dist/oauth-state-Drwz6fES.js +0 -1
package/dist/oauth-state-pdypStuS.mjs +0 -210
package/dist/server/index.js +0 -1
package/dist/server/index.mjs +0 -29

package/dist/index/index.mjs DELETED Viewed

@@ -1,2736 +0,0 @@
-var ve = Object.defineProperty;
-var Se = (e, r, t) => r in e ? ve(e, r, { enumerable: !0, configurable: !0, writable: !0, value: t }) : e[r] = t;
-var x = (e, r, t) => Se(e, typeof r != "symbol" ? r + "" : r, t);
-import { A as m, d as Ae, e as Re, c as Oe, g as Te } from "../actions-CjQUKaXF.mjs";
-import { a as Gt, s as Kt, b as Xt, v as Jt } from "../actions-CjQUKaXF.mjs";
-import { v as F } from "../oauth-state-pdypStuS.mjs";
-import { S as Qt, e as Zt, d as en, m as rn, g as tn, l as nn, b as sn, c as on, j as an, i as cn, f as un, h as ln, k as fn, r as dn, a as hn, s as gn } from "../oauth-state-pdypStuS.mjs";
-import { NextResponse as A } from "next/server";
-const L = typeof globalThis == "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
-/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-function _e(e) {
-  return e instanceof Uint8Array || ArrayBuffer.isView(e) && e.constructor.name === "Uint8Array";
-}
-function G(e, ...r) {
-  if (!_e(e))
-    throw new Error("Uint8Array expected");
-  if (r.length > 0 && !r.includes(e.length))
-    throw new Error("Uint8Array expected of length " + r + ", got length=" + e.length);
-}
-function Q(e, r = !0) {
-  if (e.destroyed)
-    throw new Error("Hash instance has been destroyed");
-  if (r && e.finished)
-    throw new Error("Hash#digest() has already been called");
-}
-function be(e, r) {
-  G(e);
-  const t = r.outputLen;
-  if (e.length < t)
-    throw new Error("digestInto() expects output buffer of length at least " + t);
-}
-function q(...e) {
-  for (let r = 0; r < e.length; r++)
-    e[r].fill(0);
-}
-function H(e) {
-  return new DataView(e.buffer, e.byteOffset, e.byteLength);
-}
-function P(e, r) {
-  return e << 32 - r | e >>> r;
-}
-function Ce(e) {
-  if (typeof e != "string")
-    throw new Error("string expected");
-  return new Uint8Array(new TextEncoder().encode(e));
-}
-function re(e) {
-  return typeof e == "string" && (e = Ce(e)), G(e), e;
-}
-class Ie {
-}
-function xe(e) {
-  const r = (n) => e().update(re(n)).digest(), t = e();
-  return r.outputLen = t.outputLen, r.blockLen = t.blockLen, r.create = () => e(), r;
-}
-function te(e = 32) {
-  if (L && typeof L.getRandomValues == "function")
-    return L.getRandomValues(new Uint8Array(e));
-  if (L && typeof L.randomBytes == "function")
-    return Uint8Array.from(L.randomBytes(e));
-  throw new Error("crypto.getRandomValues must be defined");
-}
-class Pe {
-  constructor(r) {
-    x(this, "attempts", /* @__PURE__ */ new Map());
-    x(this, "config");
-    this.config = r;
-  }
-  /**
-   * Check if request is allowed
-   */
-  check(r) {
-    const t = Date.now(), n = this.attempts.get(r);
-    return !n || n.resetAt < t ? (this.attempts.set(r, {
-      count: 1,
-      resetAt: t + this.config.windowMs
-    }), {
-      allowed: !0,
-      remaining: this.config.maxAttempts - 1,
-      resetAt: new Date(t + this.config.windowMs)
-    }) : n.count >= this.config.maxAttempts ? {
-      allowed: !1,
-      remaining: 0,
-      resetAt: new Date(n.resetAt)
-    } : (n.count++, {
-      allowed: !0,
-      remaining: this.config.maxAttempts - n.count,
-      resetAt: new Date(n.resetAt)
-    });
-  }
-  /**
-   * Reset rate limit for a key
-   */
-  reset(r) {
-    this.attempts.delete(r);
-  }
-  /**
-   * Clear all rate limits
-   */
-  clear() {
-    this.attempts.clear();
-  }
-}
-function ut(e) {
-  return new Pe(e);
-}
-const Ne = {
-  "X-Content-Type-Options": "nosniff",
-  "X-Frame-Options": "DENY",
-  "X-XSS-Protection": "1; mode=block",
-  "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
-  "Content-Security-Policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
-  "Referrer-Policy": "strict-origin-when-cross-origin",
-  "Permissions-Policy": "geolocation=(), microphone=(), camera=()"
-};
-function ne(e) {
-  return {
-    ...Ne,
-    ...e
-  };
-}
-function lt(e, r) {
-  const t = ne(r);
-  for (const [n, s] of Object.entries(t))
-    s && e.set(n, s);
-}
-const Ue = /^[^\s@]+@[^\s@]+\.[^\s@]+$/, De = 254;
-function se(e) {
-  var t;
-  if (typeof e != "string" || !e)
-    return { valid: !1, error: "Email is required" };
-  const r = e.trim().toLowerCase();
-  return Ue.test(r) ? r.length > De ? { valid: !1, error: "Email is too long" } : r.includes("..") || r.startsWith(".") || r.endsWith(".") ? { valid: !1, error: "Invalid email format" } : (t = r.split("@")[1]) != null && t.includes("..") ? { valid: !1, error: "Invalid email format" } : { valid: !0, sanitized: r } : { valid: !1, error: "Invalid email format" };
-}
-function ie(e) {
-  return e.valid === !0 && e.sanitized !== void 0;
-}
-const Fe = /* @__PURE__ */ new Set([
-  "password",
-  "12345678",
-  "qwerty",
-  "abc123",
-  "password123",
-  "123456789",
-  "1234567890",
-  "letmein",
-  "welcome",
-  "monkey",
-  "dragon",
-  "master",
-  "sunshine",
-  "princess",
-  "football",
-  "admin",
-  "root",
-  "test",
-  "guest",
-  "user"
-]), Le = /012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i, Ve = 8, Me = 128;
-function ft(e, r = Ve) {
-  if (typeof e != "string" || !e)
-    return { valid: !1, error: "Password is required" };
-  if (e.length < r)
-    return { valid: !1, error: `Password must be at least ${r} characters` };
-  if (e.length > Me)
-    return { valid: !1, error: "Password is too long" };
-  const t = e.toLowerCase();
-  if (Fe.has(t))
-    return { valid: !1, error: "Password is too common" };
-  if (/(.)\1{3,}/.test(e))
-    return { valid: !1, error: "Password contains too many repeated characters" };
-  if (Le.test(e))
-    return { valid: !1, error: "Password contains sequential characters" };
-  const n = je(e);
-  return { valid: !0, sanitized: e, strength: n };
-}
-function je(e) {
-  let r = 0;
-  return e.length >= 12 ? r += 2 : e.length >= 8 && (r += 1), /[a-z]/.test(e) && (r += 1), /[A-Z]/.test(e) && (r += 1), /[0-9]/.test(e) && (r += 1), /[^a-zA-Z0-9]/.test(e) && (r += 1), r >= 5 ? "strong" : r >= 3 ? "medium" : "weak";
-}
-function dt(e) {
-  return e.valid === !0 && e.sanitized !== void 0;
-}
-const ze = 100;
-function ht(e) {
-  if (typeof e != "string" || !e)
-    return { valid: !1, error: "Name is required" };
-  const r = e.trim();
-  if (r.length < 1)
-    return { valid: !1, error: "Name cannot be empty" };
-  if (r.length > ze)
-    return { valid: !1, error: "Name is too long" };
-  const t = r.replace(/[<>"']/g, "");
-  return t.length === 0 ? { valid: !1, error: "Name contains only invalid characters" } : { valid: !0, sanitized: t };
-}
-function gt(e) {
-  return e.valid === !0 && e.sanitized !== void 0;
-}
-const Be = /* @__PURE__ */ new Set(["http:", "https:"]);
-function wt(e) {
-  if (typeof e != "string" || !e)
-    return { valid: !1, error: "URL is required" };
-  try {
-    const r = new URL(e);
-    return Be.has(r.protocol) ? { valid: !0, sanitized: e } : { valid: !1, error: "URL must use http or https protocol" };
-  } catch {
-    return { valid: !1, error: "Invalid URL format" };
-  }
-}
-function pt(e) {
-  return e.valid === !0 && e.sanitized !== void 0;
-}
-const $e = 16, He = 512, qe = /^[A-Za-z0-9_-]+$/;
-function mt(e, r = $e) {
-  return typeof e != "string" || !e ? { valid: !1, error: "Token is required" } : e.length < r ? { valid: !1, error: "Token is too short" } : e.length > He ? { valid: !1, error: "Token is too long" } : qe.test(e) ? /(.)\1{10,}/.test(e) ? { valid: !1, error: "Token contains suspicious pattern" } : { valid: !0, sanitized: e } : { valid: !1, error: "Invalid token format" };
-}
-function Et(e) {
-  return e.valid === !0 && e.sanitized !== void 0;
-}
-const We = 1e3;
-function oe(e, r) {
-  const { maxLength: t = We, allowHtml: n = !1, required: s = !0 } = r ?? {};
-  if (s && (typeof e != "string" || !e || e.trim().length === 0))
-    return { valid: !1, error: "Input is required" };
-  if (typeof e != "string" || !e)
-    return { valid: !0, sanitized: "" };
-  let i = e.trim();
-  return i.length > t ? { valid: !1, error: `Input must be less than ${t} characters` } : (n || (i = i.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;").replace(/\//g, "&#x2F;")), i = i.replace(/[\x00-\x1F\x7F]/g, ""), { valid: !0, sanitized: i });
-}
-function yt(e) {
-  return e.valid === !0 && e.sanitized !== void 0;
-}
-class Ge {
-  constructor() {
-    x(this, "tokens", /* @__PURE__ */ new Map());
-  }
-  get(r) {
-    const t = this.tokens.get(r);
-    return t ? t.expiresAt < Date.now() ? (this.delete(r), null) : t.value : null;
-  }
-  set(r, t, n = 36e5) {
-    this.tokens.set(r, {
-      value: t,
-      expiresAt: Date.now() + n
-    });
-  }
-  delete(r) {
-    this.tokens.delete(r);
-  }
-  clear() {
-    this.tokens.clear();
-  }
-}
-class Ke {
-  constructor(r, t = 32) {
-    x(this, "store");
-    x(this, "tokenLength");
-    this.store = r || new Ge(), this.tokenLength = t;
-  }
-  /**
-   * Generate CSRF token
-   */
-  generateToken(r, t) {
-    const n = ce(this.tokenLength);
-    return this.store.set(r, n, t), n;
-  }
-  /**
-   * Validate CSRF token
-   */
-  validateToken(r, t) {
-    const n = this.store.get(r);
-    if (!n)
-      return !1;
-    const s = le(t, n);
-    return s && this.store.delete(r), s;
-  }
-  /**
-   * Get stored token without validating
-   */
-  getToken(r) {
-    return this.store.get(r);
-  }
-  /**
-   * Delete token
-   */
-  deleteToken(r) {
-    this.store.delete(r);
-  }
-}
-function kt(e) {
-  return new Ke(e);
-}
-function Xe(e) {
-  if (typeof e != "string")
-    return "";
-  const r = {
-    "&": "&amp;",
-    "<": "&lt;",
-    ">": "&gt;",
-    '"': "&quot;",
-    "'": "&#039;"
-  };
-  return e.replace(/[&<>"']/g, (t) => r[t] || t);
-}
-function vt(e) {
-  return typeof e != "string" ? "" : e.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "").replace(/on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:/gi, "");
-}
-function St(e) {
-  return typeof e != "string" ? "" : Xe(e.trim());
-}
-function At(e) {
-  return typeof e != "string" ? !1 : [
-    /<script/i,
-    /javascript:/i,
-    /on\w+\s*=/i,
-    /<iframe/i,
-    /<object/i,
-    /<embed/i,
-    /<link/i,
-    /<meta/i,
-    /expression\s*\(/i,
-    /vbscript:/i
-  ].some((t) => t.test(e));
-}
-const ae = 32;
-function ce(e = ae) {
-  if (e < 1 || e > 256)
-    throw new Error("Token length must be between 1 and 256 bytes");
-  const r = te(e);
-  return Buffer.from(r).toString("base64url");
-}
-function ue() {
-  return ce(ae);
-}
-function le(e, r) {
-  if (typeof e != "string" || typeof r != "string" || !e || !r || e.length !== r.length)
-    return !1;
-  let t = 0;
-  for (let n = 0; n < e.length; n++)
-    t |= e.charCodeAt(n) ^ r.charCodeAt(n);
-  return t === 0;
-}
-function Rt(e, r) {
-  return le(e, r);
-}
-function Ot(e) {
-  return typeof e != "string" ? "" : e.trim().replace(/[<>]/g, "");
-}
-const Je = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-function Tt(e) {
-  return typeof e == "string" && Je.test(e);
-}
-function Ye(e) {
-  return !e.success && !!e.error;
-}
-function _t(e) {
-  return e.requires2FA === !0 || e.errorCode === m.TWO_FA_REQUIRED;
-}
-function bt(e, r) {
-  return e.error ? e.error : r || "Authentication failed";
-}
-function Ct(e) {
-  return e.errorCode;
-}
-function It(e) {
-  return e.success === !0 && !!e.user;
-}
-function xt(e, r) {
-  return e.errorCode === r;
-}
-function Pt(e) {
-  if (!Ye(e)) return !1;
-  const r = [
-    m.NETWORK_ERROR,
-    m.RATE_LIMITED,
-    m.UNKNOWN_ERROR
-  ];
-  return e.errorCode ? r.includes(e.errorCode) : !1;
-}
-function Nt(e) {
-  if (e.error) return e.error;
-  switch (e.errorCode) {
-    case m.INVALID_CREDENTIALS:
-      return "Invalid email or password. Please try again.";
-    case m.ACCOUNT_LOCKED:
-      return "Your account has been temporarily locked. Please try again later.";
-    case m.ACCOUNT_INACTIVE:
-      return "Your account is inactive. Please contact support.";
-    case m.TWO_FA_REQUIRED:
-      return "Two-factor authentication is required. Please enter your code.";
-    case m.INVALID_TWO_FA_CODE:
-      return "Invalid two-factor authentication code. Please try again.";
-    case m.SESSION_EXPIRED:
-      return "Your session has expired. Please sign in again.";
-    case m.UNAUTHORIZED:
-      return "You are not authorized to perform this action.";
-    case m.NETWORK_ERROR:
-      return "Network error. Please check your connection and try again.";
-    case m.VALIDATION_ERROR:
-      return "Please check your input and try again.";
-    case m.RATE_LIMITED:
-      return "Too many attempts. Please try again later.";
-    case m.UNKNOWN_ERROR:
-    default:
-      return "An unexpected error occurred. Please try again.";
-  }
-}
-async function Ut(e, r, t) {
-  return r === "credentials" ? !t || !("email" in t) || !("password" in t) ? {
-    success: !1,
-    error: "Credentials are required"
-  } : e.signIn("credentials", t) : r === "otp" ? !t || !("email" in t) ? {
-    success: !1,
-    error: "Email is required"
-  } : e.signIn("otp", t) : r === "passkey" ? e.signIn("passkey", t) : e.signIn(r);
-}
-const fe = {
-  google: {
-    authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-    tokenUrl: "https://oauth2.googleapis.com/token",
-    userInfoUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
-    defaultScopes: ["openid", "profile", "email"]
-  },
-  github: {
-    authorizationUrl: "https://github.com/login/oauth/authorize",
-    tokenUrl: "https://github.com/login/oauth/access_token",
-    userInfoUrl: "https://api.github.com/user",
-    defaultScopes: ["user:email"]
-  },
-  apple: {
-    authorizationUrl: "https://appleid.apple.com/auth/authorize",
-    tokenUrl: "https://appleid.apple.com/auth/token",
-    userInfoUrl: "https://appleid.apple.com/auth/userinfo",
-    defaultScopes: ["name", "email"],
-    defaultParams: {
-      response_mode: "form_post",
-      response_type: "code id_token"
-    }
-  },
-  facebook: {
-    authorizationUrl: "https://www.facebook.com/v18.0/dialog/oauth",
-    tokenUrl: "https://graph.facebook.com/v18.0/oauth/access_token",
-    userInfoUrl: "https://graph.facebook.com/v18.0/me?fields=id,name,email,picture",
-    defaultScopes: ["email", "public_profile"]
-  }
-};
-function K(e) {
-  return fe[e] ?? null;
-}
-function Dt(e) {
-  return e in fe;
-}
-function de(e, r, t, n) {
-  const s = K(e);
-  if (!s)
-    throw new Error(`Unknown OAuth provider: ${e}`);
-  if (!r.clientId)
-    throw new Error(`OAuth provider "${e}" is missing clientId`);
-  const i = r.redirectUri ?? `${t}/api/auth/callback/${e}`, o = r.scopes ?? s.defaultScopes, a = new URLSearchParams({
-    client_id: r.clientId,
-    redirect_uri: i,
-    response_type: "code",
-    scope: Array.isArray(o) ? o.join(" ") : String(o),
-    state: n
-  });
-  if (s.defaultParams)
-    for (const [c, u] of Object.entries(s.defaultParams))
-      a.append(c, u);
-  if (r.params)
-    for (const [c, u] of Object.entries(r.params))
-      a.set(c, u);
-  return `${s.authorizationUrl}?${a.toString()}`;
-}
-async function he(e, r, t, n, s) {
-  const i = K(e);
-  if (!i)
-    throw new Error(`Unknown OAuth provider: ${e}`);
-  if (!t || typeof t != "string")
-    throw new Error("Authorization code is required");
-  if (!r.clientId)
-    throw new Error(`OAuth provider "${e}" is missing clientId`);
-  const o = new URLSearchParams({
-    client_id: r.clientId,
-    code: t,
-    redirect_uri: n,
-    grant_type: "authorization_code"
-  });
-  s && o.append("code_verifier", s), r.clientSecret && o.append("client_secret", r.clientSecret);
-  try {
-    const a = await fetch(i.tokenUrl, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Accept: "application/json"
-      },
-      body: o.toString()
-    });
-    if (!a.ok) {
-      const u = await a.text();
-      let h = `Failed to exchange code for tokens: ${u}`;
-      try {
-        const f = JSON.parse(u);
-        h = f.error_description ?? f.error ?? h;
-      } catch {
-      }
-      throw new Error(h);
-    }
-    const c = await a.json();
-    if (!Qe(c))
-      throw new Error("Invalid token exchange response format");
-    return c;
-  } catch (a) {
-    throw a instanceof Error ? a : new Error(`OAuth token exchange failed: ${String(a)}`);
-  }
-}
-function Qe(e) {
-  return typeof e == "object" && e !== null && "access_token" in e && typeof e.access_token == "string";
-}
-async function ge(e, r) {
-  const t = K(e);
-  if (!t)
-    throw new Error(`Unknown OAuth provider: ${e}`);
-  if (!r || typeof r != "string")
-    throw new Error("Access token is required");
-  try {
-    const n = await fetch(t.userInfoUrl, {
-      headers: {
-        Authorization: `Bearer ${r}`,
-        Accept: "application/json"
-      }
-    });
-    if (!n.ok) {
-      const i = await n.text();
-      let o = `Failed to fetch user info: ${i}`;
-      try {
-        const a = JSON.parse(i);
-        o = a.error_description ?? a.error ?? o;
-      } catch {
-      }
-      throw new Error(o);
-    }
-    const s = await n.json();
-    return Ze(e, s, r);
-  } catch (n) {
-    throw n instanceof Error ? n : new Error(`OAuth user info retrieval failed: ${String(n)}`);
-  }
-}
-async function Ze(e, r, t) {
-  switch (e) {
-    case "google":
-      return er(r);
-    case "github":
-      return await rr(r, t);
-    case "apple":
-      return tr(r);
-    case "facebook":
-      return nr(r);
-    default:
-      return sr(r);
-  }
-}
-function er(e) {
-  return {
-    id: String(e.sub ?? e.id ?? ""),
-    email: String(e.email ?? ""),
-    name: String(e.name ?? ""),
-    avatar: typeof e.picture == "string" ? e.picture : void 0,
-    emailVerified: !!e.email_verified,
-    rawProfile: e
-  };
-}
-async function rr(e, r) {
-  let t = typeof e.email == "string" ? e.email : void 0, n = { ...e };
-  if (!t)
-    try {
-      const s = await fetch("https://api.github.com/user/emails", {
-        headers: { Authorization: `Bearer ${r}` }
-      });
-      if (s.ok) {
-        const i = await s.json(), o = i.find((a) => a.primary) ?? i[0];
-        t = (o == null ? void 0 : o.email) ?? `${String(e.login ?? "user")}@users.noreply.github.com`, n = { ...e, emails: i };
-      } else
-        t = `${String(e.login ?? "user")}@users.noreply.github.com`;
-    } catch {
-      t = `${String(e.login ?? "user")}@users.noreply.github.com`;
-    }
-  return {
-    id: String(e.id ?? ""),
-    email: t ?? "",
-    name: String(e.name ?? e.login ?? ""),
-    avatar: typeof e.avatar_url == "string" ? e.avatar_url : void 0,
-    emailVerified: !!t,
-    rawProfile: n
-  };
-}
-function tr(e) {
-  const r = e.name, t = r ? `${r.firstName ?? ""} ${r.lastName ?? ""}`.trim() : "";
-  return {
-    id: String(e.sub ?? ""),
-    email: String(e.email ?? ""),
-    name: t,
-    emailVerified: !!e.email_verified,
-    rawProfile: e
-  };
-}
-function nr(e) {
-  var t;
-  const r = e.picture;
-  return {
-    id: String(e.id ?? ""),
-    email: String(e.email ?? ""),
-    name: String(e.name ?? ""),
-    avatar: (t = r == null ? void 0 : r.data) == null ? void 0 : t.url,
-    emailVerified: !0,
-    rawProfile: e
-  };
-}
-function sr(e) {
-  return {
-    id: String(e.id ?? e.sub ?? ""),
-    email: String(e.email ?? ""),
-    name: String(e.name ?? e.display_name ?? e.username ?? ""),
-    avatar: typeof e.avatar == "string" ? e.avatar : typeof e.picture == "string" ? e.picture : typeof e.avatar_url == "string" ? e.avatar_url : void 0,
-    emailVerified: !!(e.email_verified ?? e.emailVerified ?? !1),
-    rawProfile: e
-  };
-}
-function Ft(e) {
-  return typeof e == "object" && e !== null && "clientId" in e && typeof e.clientId == "string";
-}
-function ir(e, r, t, n) {
-  if (typeof e.setBigUint64 == "function")
-    return e.setBigUint64(r, t, n);
-  const s = BigInt(32), i = BigInt(4294967295), o = Number(t >> s & i), a = Number(t & i), c = n ? 4 : 0, u = n ? 0 : 4;
-  e.setUint32(r + c, o, n), e.setUint32(r + u, a, n);
-}
-function or(e, r, t) {
-  return e & r ^ ~e & t;
-}
-function ar(e, r, t) {
-  return e & r ^ e & t ^ r & t;
-}
-class cr extends Ie {
-  constructor(r, t, n, s) {
-    super(), this.finished = !1, this.length = 0, this.pos = 0, this.destroyed = !1, this.blockLen = r, this.outputLen = t, this.padOffset = n, this.isLE = s, this.buffer = new Uint8Array(r), this.view = H(this.buffer);
-  }
-  update(r) {
-    Q(this), r = re(r), G(r);
-    const { view: t, buffer: n, blockLen: s } = this, i = r.length;
-    for (let o = 0; o < i; ) {
-      const a = Math.min(s - this.pos, i - o);
-      if (a === s) {
-        const c = H(r);
-        for (; s <= i - o; o += s)
-          this.process(c, o);
-        continue;
-      }
-      n.set(r.subarray(o, o + a), this.pos), this.pos += a, o += a, this.pos === s && (this.process(t, 0), this.pos = 0);
-    }
-    return this.length += r.length, this.roundClean(), this;
-  }
-  digestInto(r) {
-    Q(this), be(r, this), this.finished = !0;
-    const { buffer: t, view: n, blockLen: s, isLE: i } = this;
-    let { pos: o } = this;
-    t[o++] = 128, q(this.buffer.subarray(o)), this.padOffset > s - o && (this.process(n, 0), o = 0);
-    for (let f = o; f < s; f++)
-      t[f] = 0;
-    ir(n, s - 8, BigInt(this.length * 8), i), this.process(n, 0);
-    const a = H(r), c = this.outputLen;
-    if (c % 4)
-      throw new Error("_sha2: outputLen should be aligned to 32bit");
-    const u = c / 4, h = this.get();
-    if (u > h.length)
-      throw new Error("_sha2: outputLen bigger than state");
-    for (let f = 0; f < u; f++)
-      a.setUint32(4 * f, h[f], i);
-  }
-  digest() {
-    const { buffer: r, outputLen: t } = this;
-    this.digestInto(r);
-    const n = r.slice(0, t);
-    return this.destroy(), n;
-  }
-  _cloneInto(r) {
-    r || (r = new this.constructor()), r.set(...this.get());
-    const { blockLen: t, buffer: n, length: s, finished: i, destroyed: o, pos: a } = this;
-    return r.destroyed = o, r.finished = i, r.length = s, r.pos = a, s % t && r.buffer.set(n), r;
-  }
-  clone() {
-    return this._cloneInto();
-  }
-}
-const N = /* @__PURE__ */ Uint32Array.from([
-  1779033703,
-  3144134277,
-  1013904242,
-  2773480762,
-  1359893119,
-  2600822924,
-  528734635,
-  1541459225
-]), ur = /* @__PURE__ */ Uint32Array.from([
-  1116352408,
-  1899447441,
-  3049323471,
-  3921009573,
-  961987163,
-  1508970993,
-  2453635748,
-  2870763221,
-  3624381080,
-  310598401,
-  607225278,
-  1426881987,
-  1925078388,
-  2162078206,
-  2614888103,
-  3248222580,
-  3835390401,
-  4022224774,
-  264347078,
-  604807628,
-  770255983,
-  1249150122,
-  1555081692,
-  1996064986,
-  2554220882,
-  2821834349,
-  2952996808,
-  3210313671,
-  3336571891,
-  3584528711,
-  113926993,
-  338241895,
-  666307205,
-  773529912,
-  1294757372,
-  1396182291,
-  1695183700,
-  1986661051,
-  2177026350,
-  2456956037,
-  2730485921,
-  2820302411,
-  3259730800,
-  3345764771,
-  3516065817,
-  3600352804,
-  4094571909,
-  275423344,
-  430227734,
-  506948616,
-  659060556,
-  883997877,
-  958139571,
-  1322822218,
-  1537002063,
-  1747873779,
-  1955562222,
-  2024104815,
-  2227730452,
-  2361852424,
-  2428436474,
-  2756734187,
-  3204031479,
-  3329325298
-]), U = /* @__PURE__ */ new Uint32Array(64);
-class lr extends cr {
-  constructor(r = 32) {
-    super(64, r, 8, !1), this.A = N[0] | 0, this.B = N[1] | 0, this.C = N[2] | 0, this.D = N[3] | 0, this.E = N[4] | 0, this.F = N[5] | 0, this.G = N[6] | 0, this.H = N[7] | 0;
-  }
-  get() {
-    const { A: r, B: t, C: n, D: s, E: i, F: o, G: a, H: c } = this;
-    return [r, t, n, s, i, o, a, c];
-  }
-  // prettier-ignore
-  set(r, t, n, s, i, o, a, c) {
-    this.A = r | 0, this.B = t | 0, this.C = n | 0, this.D = s | 0, this.E = i | 0, this.F = o | 0, this.G = a | 0, this.H = c | 0;
-  }
-  process(r, t) {
-    for (let f = 0; f < 16; f++, t += 4)
-      U[f] = r.getUint32(t, !1);
-    for (let f = 16; f < 64; f++) {
-      const y = U[f - 15], E = U[f - 2], v = P(y, 7) ^ P(y, 18) ^ y >>> 3, p = P(E, 17) ^ P(E, 19) ^ E >>> 10;
-      U[f] = p + U[f - 7] + v + U[f - 16] | 0;
-    }
-    let { A: n, B: s, C: i, D: o, E: a, F: c, G: u, H: h } = this;
-    for (let f = 0; f < 64; f++) {
-      const y = P(a, 6) ^ P(a, 11) ^ P(a, 25), E = h + y + or(a, c, u) + ur[f] + U[f] | 0, p = (P(n, 2) ^ P(n, 13) ^ P(n, 22)) + ar(n, s, i) | 0;
-      h = u, u = c, c = a, a = o + E | 0, o = i, i = s, s = n, n = E + p | 0;
-    }
-    n = n + this.A | 0, s = s + this.B | 0, i = i + this.C | 0, o = o + this.D | 0, a = a + this.E | 0, c = c + this.F | 0, u = u + this.G | 0, h = h + this.H | 0, this.set(n, s, i, o, a, c, u, h);
-  }
-  roundClean() {
-    q(U);
-  }
-  destroy() {
-    this.set(0, 0, 0, 0, 0, 0, 0, 0), q(this.buffer);
-  }
-}
-const fr = /* @__PURE__ */ xe(() => new lr()), dr = fr, we = 43;
-function hr(e = we) {
-  if (e < 43 || e > 128)
-    throw new Error("Code verifier length must be between 43 and 128 characters");
-  const r = te(Math.ceil(e * 0.75));
-  return Buffer.from(r).toString("base64url").substring(0, e);
-}
-function pe(e) {
-  if (!e || e.length < 43 || e.length > 128)
-    throw new Error("Invalid code verifier");
-  const r = dr(e);
-  return Buffer.from(r).toString("base64url");
-}
-function gr(e = we, r = "S256") {
-  const t = hr(e), n = r === "S256" ? pe(t) : t;
-  return {
-    codeVerifier: t,
-    codeChallenge: n,
-    codeChallengeMethod: r
-  };
-}
-function Lt(e, r, t = "S256") {
-  if (!e || !r)
-    return {
-      valid: !1,
-      error: "Code verifier and challenge are required"
-    };
-  let n;
-  if (t === "S256")
-    try {
-      n = pe(e);
-    } catch (s) {
-      return {
-        valid: !1,
-        error: s instanceof Error ? s.message : "Failed to generate expected challenge"
-      };
-    }
-  else
-    n = e;
-  return wr(r, n) ? { valid: !0 } : {
-    valid: !1,
-    error: "Code challenge verification failed"
-  };
-}
-function wr(e, r) {
-  if (e.length !== r.length)
-    return !1;
-  let t = 0;
-  for (let n = 0; n < e.length; n++)
-    t |= e.charCodeAt(n) ^ r.charCodeAt(n);
-  return t === 0;
-}
-class pr {
-  constructor() {
-    x(this, "storage", /* @__PURE__ */ new Map());
-  }
-  async set(r, t, n) {
-    this.storage.set(r, {
-      codeVerifier: t,
-      expiresAt: Date.now() + n
-    });
-  }
-  async get(r) {
-    const t = this.storage.get(r);
-    return t ? t.expiresAt < Date.now() ? (this.storage.delete(r), null) : t.codeVerifier : null;
-  }
-  async delete(r) {
-    this.storage.delete(r);
-  }
-}
-const mr = "__mulguard_oauth_state", Er = 10 * 60 * 1e3;
-function yr(e) {
-  const r = e.cookieName || mr, t = e.ttl || Er, n = process.env.NODE_ENV === "production", s = e.secure ?? n, i = e.sameSite || "strict", o = e.cookieHandler, a = (c) => ({
-    httpOnly: !0,
-    secure: s,
-    sameSite: i,
-    maxAge: Math.floor(c / 1e3),
-    // Convert to seconds
-    path: "/"
-  });
-  return {
-    async set(c, u, h) {
-      const f = JSON.stringify({
-        state: c,
-        provider: u.provider,
-        expiresAt: u.expiresAt
-      });
-      await Promise.resolve(
-        o.setCookie(r, f, a(t))
-      );
-    },
-    async get(c) {
-      const u = await Promise.resolve(o.getCookie(r));
-      if (!u)
-        return null;
-      try {
-        const h = JSON.parse(u);
-        return h.state !== c ? null : h.expiresAt < Date.now() ? (await Promise.resolve(
-          o.deleteCookie(r, { path: "/" })
-        ), null) : {
-          provider: h.provider,
-          expiresAt: h.expiresAt
-        };
-      } catch {
-        return await Promise.resolve(
-          o.deleteCookie(r, { path: "/" })
-        ), null;
-      }
-    },
-    async delete(c) {
-      await this.get(c) && await Promise.resolve(
-        o.deleteCookie(r, { path: "/" })
-      );
-    },
-    async cleanup() {
-    }
-  };
-}
-function Vt() {
-  return yr({
-    cookieHandler: {
-      async getCookie(e) {
-        var r;
-        try {
-          const { cookies: t } = await import("next/headers");
-          return ((r = (await t()).get(e)) == null ? void 0 : r.value) || null;
-        } catch {
-          return null;
-        }
-      },
-      async setCookie(e, r, t) {
-        try {
-          const { cookies: n } = await import("next/headers");
-          (await n()).set(e, r, {
-            httpOnly: t.httpOnly ?? !0,
-            secure: t.secure ?? process.env.NODE_ENV === "production",
-            sameSite: t.sameSite || "strict",
-            maxAge: t.maxAge,
-            path: t.path || "/"
-          });
-        } catch (n) {
-          console.warn("[Mulguard] Failed to set OAuth state cookie:", n);
-        }
-      },
-      async deleteCookie(e, r) {
-        try {
-          const { cookies: t } = await import("next/headers");
-          (await t()).set(e, "", {
-            maxAge: 0,
-            expires: /* @__PURE__ */ new Date(0),
-            path: (r == null ? void 0 : r.path) || "/"
-          });
-        } catch {
-        }
-      }
-    }
-  });
-}
-function Mt(e, r = "mulguard:oauth:state:") {
-  const t = (s) => `${r}${s}`, n = async (s) => {
-    const i = t(s);
-    await e.del(i);
-  };
-  return {
-    async set(s, i, o) {
-      const a = t(s), c = JSON.stringify(i);
-      await e.set(a, c, "EX", Math.floor(o / 1e3));
-    },
-    async get(s) {
-      const i = t(s), o = await e.get(i);
-      if (!o)
-        return null;
-      try {
-        const a = JSON.parse(o);
-        return a.expiresAt < Date.now() ? (await n(s), null) : a;
-      } catch {
-        return await n(s), null;
-      }
-    },
-    async delete(s) {
-      await n(s);
-    },
-    async cleanup() {
-      try {
-        const s = await e.keys(`${r}*`), i = Date.now();
-        for (const o of s) {
-          const a = await e.get(o);
-          if (a)
-            try {
-              JSON.parse(a).expiresAt < i && await e.del(o);
-            } catch {
-              await e.del(o);
-            }
-        }
-      } catch (s) {
-        console.warn("[Mulguard] OAuth state cleanup warning:", s);
-      }
-    }
-  };
-}
-class kr {
-  constructor() {
-    x(this, "states", /* @__PURE__ */ new Map());
-  }
-  set(r, t, n) {
-    this.states.set(r, t), this.cleanup();
-  }
-  get(r) {
-    const t = this.states.get(r);
-    return t ? t.expiresAt < Date.now() ? (this.delete(r), null) : t : null;
-  }
-  delete(r) {
-    this.states.delete(r);
-  }
-  cleanup() {
-    const r = Date.now();
-    for (const [t, n] of this.states.entries())
-      n.expiresAt < r && this.states.delete(t);
-  }
-}
-function vr() {
-  return new kr();
-}
-class Sr {
-  constructor(r) {
-    x(this, "config");
-    x(this, "pkceStorage");
-    var t, n;
-    this.config = {
-      ...r,
-      pkce: {
-        enabled: ((t = r.pkce) == null ? void 0 : t.enabled) ?? !0,
-        // PKCE enabled by default
-        storage: (n = r.pkce) == null ? void 0 : n.storage
-      },
-      stateStore: r.stateStore,
-      logger: r.logger
-    }, this.pkceStorage = this.config.pkce.enabled ? this.config.pkce.storage || new pr() : null;
-  }
-  /**
-   * Initiates OAuth authentication flow.
-   *
-   * Generates authorization URL with PKCE (if enabled) and CSRF state token.
-   *
-   * @param providerId - OAuth provider identifier
-   * @returns OAuth initiation result with authorization URL and state
-   *
-   * @example
-   * ```typescript
-   * const { url, state, codeVerifier } = await handler.initiate('google')
-   * // Store state and codeVerifier securely
-   * // Redirect user to url
-   * ```
-   */
-  async initiate(r) {
-    const t = this.config.providers[r];
-    if (!t)
-      throw new Error(`OAuth provider "${r}" is not configured`);
-    const n = ue();
-    let s, i;
-    if (this.config.pkce.enabled && this.pkceStorage) {
-      const a = gr();
-      s = a.codeVerifier, i = a.codeChallenge, await this.pkceStorage.set(n, s, 10 * 60 * 1e3);
-    }
-    const o = de(
-      r,
-      {
-        ...t,
-        params: {
-          ...t.params,
-          ...i && {
-            code_challenge: i,
-            code_challenge_method: "S256"
-          }
-        }
-      },
-      this.config.baseUrl,
-      n
-    );
-    return this.config.stateStore && await this.config.stateStore.set(n, {
-      provider: r,
-      expiresAt: Date.now() + 10 * 60 * 1e3
-      // 10 minutes
-    }, 10 * 60 * 1e3), {
-      url: o,
-      state: n,
-      ...s && { codeVerifier: s }
-    };
-  }
-  /**
-   * Handles OAuth callback and completes authentication.
-   *
-   * Validates state token, verifies PKCE (if enabled), exchanges code for tokens,
-   * retrieves user profile, and creates session.
-   *
-   * @template TUser - User type
-   * @template TSession - Session type
-   * @param providerId - OAuth provider identifier
-   * @param code - Authorization code from OAuth callback
-   * @param state - CSRF state token
-   * @param codeVerifier - PKCE code verifier (required if PKCE is enabled)
-   * @param userLookup - Function to lookup/create user from OAuth profile
-   * @param createSession - Function to create session (optional)
-   * @returns Authentication result
-   *
-   * @example
-   * ```typescript
-   * const result = await handler.handleCallback(
-   *   'google',
-   *   code,
-   *   state,
-   *   storedCodeVerifier,
-   *   async (userInfo) => {
-   *     // Lookup or create user
-   *     return await db.user.findOrCreate({ email: userInfo.email })
-   *   }
-   * )
-   * ```
-   */
-  async handleCallback(r, t, n, s, i, o) {
-    try {
-      if (!t || !n)
-        return {
-          success: !1,
-          error: "Authorization code and state are required",
-          errorCode: m.VALIDATION_ERROR
-        };
-      if (!await this.validateState(n, r))
-        return {
-          success: !1,
-          error: "Invalid or expired state token",
-          errorCode: m.VALIDATION_ERROR
-        };
-      const c = this.config.providers[r];
-      if (!c)
-        return {
-          success: !1,
-          error: `OAuth provider "${r}" is not configured`,
-          errorCode: m.VALIDATION_ERROR
-        };
-      if (this.config.pkce.enabled && this.pkceStorage) {
-        const p = s || await this.pkceStorage.get(n);
-        if (!p)
-          return {
-            success: !1,
-            error: "PKCE code verifier not found",
-            errorCode: m.VALIDATION_ERROR
-          };
-        s = p;
-      }
-      const u = c.redirectUri || `${this.config.baseUrl}/api/auth/callback/${r}`;
-      let h;
-      try {
-        h = await he(r, c, t, u, s);
-      } catch (p) {
-        return this.config.logger && this.config.logger.error("OAuth token exchange failed", p), {
-          success: !1,
-          error: p instanceof Error ? p.message : "Token exchange failed",
-          errorCode: m.NETWORK_ERROR
-        };
-      }
-      let f;
-      try {
-        f = await ge(r, h.access_token);
-      } catch (p) {
-        return this.config.logger && this.config.logger.error("OAuth user profile retrieval failed", p), {
-          success: !1,
-          error: "Failed to retrieve user profile",
-          errorCode: m.NETWORK_ERROR
-        };
-      }
-      const y = {
-        id: f.id,
-        email: f.email,
-        name: f.name,
-        avatar: f.avatar,
-        emailVerified: f.emailVerified,
-        provider: r,
-        accessToken: h.access_token,
-        refreshToken: h.refresh_token,
-        tokens: h,
-        rawProfile: f.rawProfile
-      };
-      let E;
-      i ? E = await i(y) : E = {
-        id: y.id,
-        email: y.email,
-        name: y.name,
-        avatar: y.avatar,
-        emailVerified: y.emailVerified
-      };
-      const v = o ? await o(E, y) : {
-        user: E,
-        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3),
-        // 7 days
-        accessToken: h.access_token,
-        refreshToken: h.refresh_token,
-        tokenType: h.token_type || "Bearer",
-        expiresIn: h.expires_in
-      };
-      return this.config.pkce.enabled && this.pkceStorage && await this.pkceStorage.delete(n), {
-        success: !0,
-        user: E,
-        session: v
-      };
-    } catch (a) {
-      return this.config.logger && this.config.logger.error("OAuth callback error", a), {
-        success: !1,
-        error: a instanceof Error ? a.message : "OAuth callback failed",
-        errorCode: m.UNKNOWN_ERROR
-      };
-    }
-  }
-  // ============================================================================
-  // State Validation
-  // ============================================================================
-  /**
-   * Validates OAuth state token.
-   *
-   * @param state - State token
-   * @param providerId - Provider identifier
-   * @returns True if state is valid
-   */
-  async validateState(r, t) {
-    if (this.config.stateStore) {
-      const n = await this.config.stateStore.get(r);
-      return n ? n.expiresAt < Date.now() ? (await this.config.stateStore.delete(r), !1) : n.provider !== t ? !1 : (await this.config.stateStore.delete(r), !0) : !1;
-    }
-    return !0;
-  }
-}
-function jt(e) {
-  return new Sr(e);
-}
-function M(e) {
-  return e.success === !0 && e.user !== void 0 && e.session !== void 0;
-}
-var V = /* @__PURE__ */ ((e) => (e[e.DEBUG = 0] = "DEBUG", e[e.INFO = 1] = "INFO", e[e.WARN = 2] = "WARN", e[e.ERROR = 3] = "ERROR", e))(V || {});
-const Ar = process.env.NODE_ENV === "development" ? 0 : 1;
-function me(e = {}) {
-  const {
-    enabled: r = process.env.NODE_ENV === "development",
-    level: t = Ar,
-    context: n,
-    formatter: s = Rr
-  } = e, i = (a) => r && a >= t, o = (a, c, u, h) => ({
-    level: a,
-    message: c,
-    timestamp: /* @__PURE__ */ new Date(),
-    context: n,
-    data: u ? Or(u) : void 0,
-    error: h
-  });
-  return {
-    debug: (a, c) => {
-      if (i(
-        0
-        /* DEBUG */
-      )) {
-        const u = o(0, a, c);
-        console.debug(s(u));
-      }
-    },
-    info: (a, c) => {
-      if (i(
-        1
-        /* INFO */
-      )) {
-        const u = o(1, a, c);
-        console.info(s(u));
-      }
-    },
-    warn: (a, c) => {
-      if (i(
-        2
-        /* WARN */
-      )) {
-        const u = o(2, a, c);
-        console.warn(s(u));
-      }
-    },
-    error: (a, c) => {
-      if (i(
-        3
-        /* ERROR */
-      )) {
-        const u = c instanceof Error ? c : void 0, h = c instanceof Error ? void 0 : c, f = o(3, a, h, u);
-        console.error(s(f)), u && console.error(u);
-      }
-    }
-  };
-}
-function Rr(e) {
-  const r = e.timestamp.toISOString(), t = V[e.level], n = e.context ? `[${e.context}]` : "", s = e.data ? ` ${JSON.stringify(e.data)}` : "";
-  return `${r} [${t}]${n} ${e.message}${s}`;
-}
-function Or(e) {
-  const r = /* @__PURE__ */ new Set(["password", "token", "secret", "key", "accessToken", "refreshToken"]), t = {};
-  for (const [n, s] of Object.entries(e))
-    if (r.has(n.toLowerCase()))
-      t[n] = "***REDACTED***";
-    else if (typeof s == "string" && n.toLowerCase().includes("email")) {
-      const i = s.split("@");
-      if (i.length === 2 && i[0]) {
-        const o = i[0].substring(0, 3) + "***@" + i[1];
-        t[n] = o;
-      } else
-        t[n] = s;
-    } else
-      t[n] = s;
-  return t;
-}
-me();
-function Ee(e = {}) {
-  return me(e);
-}
-function Tr(e = {}) {
-  try {
-    const r = require("pino"), t = {
-      level: e.level !== void 0 ? V[e.level].toLowerCase() : "info",
-      base: e.context ? { context: e.context } : void 0,
-      timestamp: !0
-    }, n = r(t);
-    return {
-      debug: (s, i) => {
-        n.debug(i || {}, s);
-      },
-      info: (s, i) => {
-        n.info(i || {}, s);
-      },
-      warn: (s, i) => {
-        n.warn(i || {}, s);
-      },
-      error: (s, i) => {
-        i instanceof Error ? n.error({ err: i }, s) : n.error(i || {}, s);
-      }
-    };
-  } catch {
-    return Ee(e);
-  }
-}
-function _r(e = {}) {
-  const { adapter: r = "console", ...t } = e;
-  let n;
-  if (typeof r == "string")
-    switch (r) {
-      case "pino":
-        n = Tr(t);
-        break;
-      case "console":
-      default:
-        n = Ee(t);
-        break;
-    }
-  else
-    n = r;
-  return n;
-}
-const _ = _r({
-  adapter: process.env.MULGUARD_LOGGER_ADAPTER || "console",
-  level: process.env.NODE_ENV === "production" ? V.WARN : V.DEBUG
-});
-function br(e, r, t, n = {}) {
-  const {
-    enabled: s = !0,
-    maxRetries: i = 1,
-    retryDelay: o = 1e3,
-    rateLimit: a = 3,
-    autoSignOutOnFailure: c = !0,
-    redirectToLogin: u = "/login",
-    autoRedirectOnFailure: h = !0
-  } = n;
-  let f = null, y = !1;
-  const E = [], v = [], p = 60 * 1e3;
-  let w = 0, T = !1, b = null;
-  const j = 2, z = 60 * 1e3;
-  function l() {
-    const S = Date.now();
-    if (T && b) {
-      if (S < b)
-        return !1;
-      T = !1, b = null, w = 0;
-    }
-    for (; v.length > 0; ) {
-      const k = v[0];
-      if (k !== void 0 && k < S - p)
-        v.shift();
-      else
-        break;
-    }
-    return v.length >= a ? !1 : (v.push(S), !0);
-  }
-  function d() {
-    w++, w >= j && (T = !0, b = Date.now() + z, process.env.NODE_ENV === "development" && console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"));
-  }
-  function g() {
-    w = 0, T = !1, b = null;
-  }
-  async function R(S = 1) {
-    if (!s)
-      return null;
-    if (!l())
-      throw new Error("Rate limit exceeded for token refresh");
-    try {
-      const k = await e();
-      if (k)
-        return g(), C(k), n.onTokenRefreshed && await Promise.resolve(n.onTokenRefreshed(k)), k;
-      if (d(), S < i)
-        return await J(o * S), R(S + 1);
-      throw new Error("Token refresh failed: refresh function returned null");
-    } catch (k) {
-      if (d(), S < i && I(k))
-        return await J(o * S), R(S + 1);
-      throw k;
-    }
-  }
-  function I(S) {
-    if (S instanceof Error) {
-      const k = S.message.toLowerCase();
-      if (k.includes("rate limit") || k.includes("too many requests") || k.includes("429") || k.includes("limit:") || k.includes("requests per minute") || k.includes("token_blacklisted") || k.includes("blacklisted") || k.includes("invalid") || k.includes("401") || k.includes("unauthorized") || k.includes("session has been revoked") || k.includes("session expired"))
-        return !1;
-      if (k.includes("network") || k.includes("fetch") || k.includes("timeout"))
-        return !0;
-    }
-    return !1;
-  }
-  function C(S) {
-    const k = [...E];
-    E.length = 0;
-    for (const { resolve: D } of k)
-      D(S);
-  }
-  function X(S) {
-    const k = [...E];
-    E.length = 0;
-    for (const { reject: D } of k)
-      D(S);
-  }
-  function J(S) {
-    return new Promise((k) => setTimeout(k, S));
-  }
-  async function Y(S) {
-    try {
-      if (n.onTokenRefreshFailed && await Promise.resolve(n.onTokenRefreshFailed(S)), c && (await t(), await r(), h && typeof window < "u")) {
-        let k = !0;
-        if (n.onBeforeRedirect && (k = await Promise.resolve(n.onBeforeRedirect(S))), k) {
-          const D = new URL(u, window.location.origin);
-          D.searchParams.set("reason", "session_expired"), D.searchParams.set("redirect", window.location.pathname + window.location.search), window.location.href = D.toString();
-        }
-      }
-    } catch (k) {
-      process.env.NODE_ENV === "development" && console.error("[TokenRefreshManager] Error in handleRefreshFailure:", k);
-    }
-  }
-  return {
-    /**
-     * Refresh token with single refresh queue
-     */
-    async refreshToken() {
-      return s ? f || (y = !0, f = R().then((S) => (y = !1, f = null, S)).catch((S) => {
-        throw y = !1, f = null, X(S), Y(S).catch(() => {
-        }), S;
-      }), f) : null;
-    },
-    /**
-     * Check if refresh is in progress
-     */
-    isRefreshing() {
-      return y;
-    },
-    /**
-     * Wait for current refresh to complete
-     */
-    async waitForRefresh() {
-      return f ? new Promise((S, k) => {
-        E.push({ resolve: S, reject: k });
-      }) : null;
-    },
-    /**
-     * Clear state
-     */
-    clear() {
-      f = null, y = !1, v.length = 0, g(), X(new Error("Token refresh manager cleared"));
-    },
-    /**
-     * Handle token refresh failure
-     */
-    async handleRefreshFailure(S) {
-      return Y(S);
-    }
-  };
-}
-function Cr() {
-  const e = process.env.NODE_ENV === "production";
-  return {
-    cookieName: "__mulguard_session",
-    expiresIn: 60 * 60 * 24 * 7,
-    // 7 days
-    httpOnly: !0,
-    secure: e,
-    // HTTPS only in production
-    sameSite: "lax",
-    path: "/"
-  };
-}
-function Ir() {
-  return {
-    enabled: !0,
-    refreshThreshold: 300,
-    // 5 minutes before expiration
-    maxRetries: 0,
-    // No retries for blacklisted tokens
-    retryDelay: 1e3,
-    rateLimit: 1,
-    // 1 attempt per minute to prevent loops
-    autoSignOutOnFailure: !0,
-    redirectToLogin: "/login",
-    autoRedirectOnFailure: !0
-  };
-}
-function xr() {
-  return process.env.NEXT_PUBLIC_URL ?? (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : "http://localhost:3000");
-}
-function Pr(e) {
-  const { sessionConfig: r, cacheTtl: t, getSessionAction: n, onSessionExpired: s, onError: i } = e, o = r.cookieName ?? "__mulguard_session";
-  let a = null;
-  const c = async () => {
-    const p = Date.now();
-    if (a && p - a.timestamp < t)
-      return a.session;
-    if (n)
-      try {
-        const w = await n();
-        if (w && F(w))
-          return a = { session: w, timestamp: p }, w;
-        w && !F(w) && (await h(), a = null);
-      } catch (w) {
-        _.debug("getSession error", { error: w }), i && await i(w instanceof Error ? w : new Error(String(w)), "getSession"), a = null;
-      }
-    try {
-      const w = await Te(o);
-      if (w)
-        try {
-          const T = JSON.parse(w);
-          if (F(T))
-            return T.expiresAt && new Date(T.expiresAt) < /* @__PURE__ */ new Date() ? (s && await s(T), await h(), a = null, null) : (a = { session: T, timestamp: p }, T);
-          await h(), a = null;
-        } catch {
-          await h(), a = null;
-        }
-    } catch (w) {
-      const T = w instanceof Error ? w.message : String(w);
-      !T.includes("request scope") && !T.includes("cookies") && (_.warn("getSession cookie error", { error: w }), i && await i(
-        w instanceof Error ? w : new Error(String(w)),
-        "getSession.cookie"
-      ));
-    }
-    return null;
-  }, u = async (p) => {
-    if (!F(p))
-      return {
-        success: !1,
-        error: "Invalid session structure"
-      };
-    try {
-      const w = typeof p == "object" && "token" in p ? String(p.token) : JSON.stringify(p), T = Re(o, w, r), b = await Oe(T);
-      return b.success && (a = { session: p, timestamp: Date.now() }), b;
-    } catch (w) {
-      const T = w instanceof Error ? w.message : "Failed to set session";
-      return _.error("setSession error", { error: w }), i && await i(w instanceof Error ? w : new Error(String(w)), "setSession"), {
-        success: !1,
-        error: T
-      };
-    }
-  }, h = async () => {
-    try {
-      await Ae(o, {
-        path: r.path,
-        domain: r.domain
-      }), a = null;
-    } catch (p) {
-      _.warn("clearSessionCookie error", { error: p });
-    }
-  }, f = async () => {
-    const p = await c();
-    return p != null && p.accessToken && typeof p.accessToken == "string" ? p.accessToken : null;
-  };
-  return {
-    getSession: c,
-    setSession: u,
-    clearSessionCookie: h,
-    getAccessToken: f,
-    getRefreshToken: async () => {
-      const p = await c();
-      return p != null && p.refreshToken && typeof p.refreshToken == "string" ? p.refreshToken : null;
-    },
-    hasValidTokens: async () => !!await f(),
-    clearCache: () => {
-      a = null;
-    },
-    getSessionConfig: () => ({ cookieName: o, config: r })
-  };
-}
-function Nr(e) {
-  return async (r) => {
-    try {
-      if (!r || typeof r != "object")
-        return {
-          success: !1,
-          error: "Invalid credentials",
-          errorCode: m.VALIDATION_ERROR
-        };
-      if (!r.email || typeof r.email != "string")
-        return {
-          success: !1,
-          error: "Email is required",
-          errorCode: m.VALIDATION_ERROR
-        };
-      const t = se(r.email);
-      if (!ie(t))
-        return {
-          success: !1,
-          error: t.error ?? "Invalid email format",
-          errorCode: m.VALIDATION_ERROR
-        };
-      if (!r.password || typeof r.password != "string")
-        return {
-          success: !1,
-          error: "Password is required",
-          errorCode: m.VALIDATION_ERROR
-        };
-      if (r.password.length > 128)
-        return {
-          success: !1,
-          error: "Invalid credentials",
-          errorCode: m.VALIDATION_ERROR
-        };
-      const n = {
-        email: t.sanitized,
-        password: r.password
-        // Don't sanitize password (needed for hashing)
-      }, s = await e.actions.signIn.email(n);
-      if (M(s)) {
-        const i = await e.saveSessionAfterAuth(s);
-        !i.success && i.warning && _.warn("Session save warning", { warning: i.warning });
-      }
-      return s.success ? _.info("Sign in successful", {
-        email: n.email.substring(0, 3) + "***"
-      }) : _.warn("Sign in failed", {
-        email: n.email.substring(0, 3) + "***",
-        errorCode: s.errorCode
-      }), s;
-    } catch (t) {
-      const n = t instanceof Error ? t.message : "Sign in failed";
-      return _.error("Sign in error", { error: n, context: "signIn.email" }), e.onError && await e.onError(
-        t instanceof Error ? t : new Error(String(t)),
-        "signIn.email"
-      ), {
-        success: !1,
-        error: "Sign in failed. Please try again.",
-        errorCode: m.UNKNOWN_ERROR
-      };
-    }
-  };
-}
-function Ur(e, r) {
-  return async (t) => {
-    if (!t || typeof t != "string")
-      throw new Error("Provider is required");
-    const n = oe(t, {
-      maxLength: 50,
-      allowHtml: !1,
-      required: !0
-    });
-    if (!n.valid || !n.sanitized)
-      throw new Error("Invalid provider");
-    const s = n.sanitized.toLowerCase();
-    if (!e.actions.signIn.oauth)
-      throw new Error(
-        "OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config."
-      );
-    const i = await e.actions.signIn.oauth(s);
-    return await r(i.state, s), _.info("OAuth sign in initiated", { provider: s }), i;
-  };
-}
-function Dr(e) {
-  return async (r, t) => {
-    if (!r || typeof r != "string")
-      return {
-        success: !1,
-        error: "Email is required",
-        errorCode: m.VALIDATION_ERROR
-      };
-    const n = se(r);
-    if (!ie(n))
-      return {
-        success: !1,
-        error: n.error ?? "Invalid email format",
-        errorCode: m.VALIDATION_ERROR
-      };
-    if (t !== void 0 && (typeof t != "string" || t.length < 4 || t.length > 10))
-      return {
-        success: !1,
-        error: "Invalid OTP code format",
-        errorCode: m.VALIDATION_ERROR
-      };
-    if (!e.actions.signIn.otp)
-      return {
-        success: !1,
-        error: "OTP sign in is not configured",
-        errorCode: m.VALIDATION_ERROR
-      };
-    try {
-      const s = await e.actions.signIn.otp(n.sanitized, t);
-      if (M(s)) {
-        const i = await e.saveSessionAfterAuth(s);
-        !i.success && i.warning && _.warn("Session save warning", { warning: i.warning });
-      }
-      return s.success ? _.info("OTP sign in successful", {
-        email: n.sanitized.substring(0, 3) + "***"
-      }) : _.warn("OTP sign in failed", {
-        email: n.sanitized.substring(0, 3) + "***"
-      }), s;
-    } catch (s) {
-      return _.error("OTP sign in error", {
-        error: s instanceof Error ? s.message : "Unknown error",
-        context: "signIn.otp"
-      }), e.onError && await e.onError(
-        s instanceof Error ? s : new Error(String(s)),
-        "signIn.otp"
-      ), {
-        success: !1,
-        error: "OTP sign in failed. Please try again.",
-        errorCode: m.UNKNOWN_ERROR
-      };
-    }
-  };
-}
-function Fr(e) {
-  return async (r) => {
-    if (!e.actions.signIn.passkey)
-      throw new Error("PassKey sign in is not configured. Provide passkey action in signIn.");
-    try {
-      const t = await e.actions.signIn.passkey(r);
-      if (M(t)) {
-        const n = await e.saveSessionAfterAuth(t);
-        !n.success && n.warning && _.warn("Session save warning", { warning: n.warning });
-      }
-      return t;
-    } catch (t) {
-      return e.onError && await e.onError(
-        t instanceof Error ? t : new Error(String(t)),
-        "signIn.passkey"
-      ), {
-        success: !1,
-        error: t instanceof Error ? t.message : "PassKey sign in failed"
-      };
-    }
-  };
-}
-function Lr(e, r) {
-  const t = Nr(e), n = Ur(e, r), s = Dr(e), i = Fr(e);
-  return Object.assign(async (c, u) => {
-    if (!c || typeof c != "string")
-      throw new Error("Provider is required");
-    const h = oe(c, {
-      maxLength: 50,
-      allowHtml: !1,
-      required: !0
-    });
-    if (!h.valid || !h.sanitized)
-      throw new Error("Invalid provider");
-    const f = h.sanitized.toLowerCase();
-    if (f === "google" || f === "github" || f === "apple" || f === "facebook" || typeof f == "string" && !["credentials", "otp", "passkey"].includes(f))
-      return n(f);
-    if (f === "credentials")
-      return !u || !("email" in u) || !("password" in u) ? {
-        success: !1,
-        error: "Credentials are required",
-        errorCode: m.VALIDATION_ERROR
-      } : t(u);
-    if (f === "otp") {
-      if (!u || !("email" in u))
-        return {
-          success: !1,
-          error: "Email is required",
-          errorCode: m.VALIDATION_ERROR
-        };
-      const y = u;
-      return s(y.email, y.code);
-    }
-    return f === "passkey" ? i(u) : {
-      success: !1,
-      error: "Invalid provider",
-      errorCode: m.VALIDATION_ERROR
-    };
-  }, {
-    email: t,
-    oauth: e.actions.signIn.oauth ? n : void 0,
-    passkey: e.actions.signIn.passkey ? i : void 0,
-    otp: e.actions.signIn.otp ? s : void 0
-  });
-}
-function Vr(e) {
-  return async (r) => {
-    if (!e.actions.signUp)
-      throw new Error("Sign up is not configured. Provide signUp action in config.");
-    try {
-      const t = await e.actions.signUp(r);
-      if (M(t)) {
-        const n = await e.saveSessionAfterAuth(t);
-        !n.success && n.warning && _.warn("Session save warning", { warning: n.warning });
-      }
-      return t;
-    } catch (t) {
-      return e.onError && await e.onError(
-        t instanceof Error ? t : new Error(String(t)),
-        "signUp"
-      ), {
-        success: !1,
-        error: t instanceof Error ? t.message : "Sign up failed"
-      };
-    }
-  };
-}
-function Mr(e, r) {
-  return async (t, n, s) => {
-    const i = e.oauthProviders[t];
-    if (!i)
-      return {
-        success: !1,
-        error: `OAuth provider "${t}" is not configured`,
-        errorCode: m.VALIDATION_ERROR
-      };
-    try {
-      const o = i.redirectUri ?? `${e.baseUrl}/api/auth/callback/${t}`, a = await he(t, i, n, o), c = await ge(t, a.access_token), u = {
-        id: c.id,
-        email: c.email,
-        name: c.name,
-        avatar: c.avatar,
-        emailVerified: c.emailVerified,
-        provider: t,
-        accessToken: a.access_token,
-        refreshToken: a.refresh_token,
-        tokens: {
-          access_token: a.access_token,
-          refresh_token: a.refresh_token,
-          expires_in: a.expires_in,
-          token_type: a.token_type,
-          id_token: a.id_token
-        },
-        rawProfile: c.rawProfile
-      };
-      if (e.callbacks.onOAuthUser) {
-        const h = await Z(
-          e.callbacks.onOAuthUser,
-          [u, t],
-          e.onError
-        );
-        if (!h)
-          return {
-            success: !1,
-            error: "Failed to create or retrieve user",
-            errorCode: m.VALIDATION_ERROR
-          };
-        const f = e.createSession(h, u, a);
-        return await e.saveSession(f), e.callbacks.onSignIn && await Z(
-          e.callbacks.onSignIn,
-          [f.user, f],
-          e.onError
-        ), { success: !0, user: f.user, session: f };
-      }
-      return {
-        success: !1,
-        error: "OAuth user callback not implemented. Provide onOAuthUser callback or implement oauthCallback action.",
-        errorCode: m.VALIDATION_ERROR
-      };
-    } catch (o) {
-      return _.error("OAuth callback failed", { provider: t, error: o }), {
-        success: !1,
-        error: o instanceof Error ? o.message : "OAuth callback failed",
-        errorCode: m.NETWORK_ERROR
-      };
-    }
-  };
-}
-async function Z(e, r, t) {
-  if (e)
-    try {
-      return await e(...r);
-    } catch (n) {
-      throw t && await t(
-        n instanceof Error ? n : new Error(String(n)),
-        "callback"
-      ), n;
-    }
-}
-function jr(e, r, t, n) {
-  if (Object.keys(e).length !== 0)
-    return async (s) => {
-      const i = e[s];
-      if (!i)
-        throw new Error(`OAuth provider "${s}" is not configured. Add it to providers.oauth in config.`);
-      if (!i.clientId)
-        throw new Error(`OAuth provider "${s}" is missing clientId`);
-      const o = t();
-      return { url: n(s, i, r, o), state: o };
-    };
-}
-function zt(e) {
-  var j, z;
-  const r = {
-    ...Cr(),
-    ...e.session
-  }, t = e.actions, n = e.callbacks || {}, s = ((j = e.providers) == null ? void 0 : j.oauth) || {}, i = xr(), o = {
-    ...Ir(),
-    ...e.tokenRefresh
-  }, a = ((z = e.session) == null ? void 0 : z.cacheTtl) ?? e.sessionCacheTtl ?? 5e3, c = e.oauthStateStore || vr(), u = { ...t }, h = async (l, d) => {
-    const g = {
-      provider: d,
-      expiresAt: Date.now() + 6e5
-      // 10 minutes
-    };
-    await Promise.resolve(c.set(l, g, 10 * 60 * 1e3)), c.cleanup && await Promise.resolve(c.cleanup());
-  }, f = async (l, d) => {
-    let g = await Promise.resolve(c.get(l));
-    if (!g)
-      try {
-        const { getOAuthStateCookie: R } = await import("../oauth-state-pdypStuS.mjs").then((C) => C.o), I = await R();
-        if (I && I.state === l && I.provider === d)
-          return !0;
-      } catch {
-      }
-    return g ? g.expiresAt < Date.now() ? (await Promise.resolve(c.delete(l)), !1) : g.provider !== d ? !1 : (await Promise.resolve(c.delete(l)), !0) : !1;
-  }, y = jr(
-    s,
-    i,
-    ue,
-    de
-  );
-  if (y && !u.signIn.oauth) {
-    const l = u.signIn;
-    u.signIn = {
-      ...l,
-      oauth: async (d) => {
-        const g = await y(d);
-        return await h(g.state, d), g;
-      }
-    };
-  }
-  if (!u.signIn || !u.signIn.email)
-    throw new Error("mulguard: signIn.email action is required");
-  const E = async (l, ...d) => {
-    if (l)
-      try {
-        return await l(...d);
-      } catch (g) {
-        throw n.onError && await n.onError(g instanceof Error ? g : new Error(String(g)), "callback"), g;
-      }
-  }, v = Pr({
-    sessionConfig: r,
-    cacheTtl: a,
-    getSessionAction: t.getSession,
-    onSessionExpired: n.onSessionExpired,
-    onError: n.onError
-  }), p = async (l) => {
-    if (!M(l) || !l.session)
-      return { success: !0 };
-    const d = await v.setSession(l.session);
-    return l.user && n.onSignIn && await E(n.onSignIn, l.user, l.session), d;
-  };
-  if (Object.keys(s).length > 0 && !u.oauthCallback) {
-    const l = Mr(
-      {
-        oauthProviders: s,
-        baseUrl: i,
-        callbacks: n,
-        createSession: (d, g, R) => ({
-          user: {
-            ...d,
-            avatar: g.avatar,
-            emailVerified: g.emailVerified
-          },
-          expiresAt: new Date(Date.now() + (r.expiresIn || 604800) * 1e3),
-          accessToken: R.access_token,
-          refreshToken: R.refresh_token,
-          tokenType: "Bearer",
-          expiresIn: R.expires_in
-        }),
-        saveSession: async (d) => {
-          await v.setSession(d);
-        },
-        onError: n.onError
-      }
-    );
-    u.oauthCallback = l;
-  }
-  const w = Lr(
-    {
-      actions: u,
-      callbacks: n,
-      saveSessionAfterAuth: p,
-      onError: n.onError
-    },
-    h
-  ), T = Vr({
-    actions: u,
-    callbacks: n,
-    saveSessionAfterAuth: p,
-    onError: n.onError
-  }), b = {
-    /**
-     * Get current session
-     * Uses custom getSession action if provided, otherwise falls back to reading from cookie
-     */
-    async getSession() {
-      return await v.getSession();
-    },
-    /**
-     * Get access token from current session
-     */
-    async getAccessToken() {
-      return await v.getAccessToken();
-    },
-    /**
-     * Get refresh token from current session
-     */
-    async getRefreshToken() {
-      return await v.getRefreshToken();
-    },
-    /**
-     * Check if session has valid tokens
-     */
-    async hasValidTokens() {
-      return await v.hasValidTokens();
-    },
-    /**
-     * Unified sign in method - supports both unified and direct method calls
-     */
-    signIn: w,
-    /**
-     * Sign up new user
-     */
-    async signUp(l) {
-      if (!T)
-        throw new Error("Sign up is not configured. Provide signUp action in config.");
-      return await T(l);
-    },
-    /**
-     * Sign out
-     */
-    async signOut() {
-      try {
-        const l = await this.getSession(), d = l == null ? void 0 : l.user;
-        return t.signOut && await t.signOut(), await v.clearSessionCookie(), v.clearCache(), d && n.onSignOut && await E(n.onSignOut, d), { success: !0 };
-      } catch (l) {
-        return await v.clearSessionCookie(), v.clearCache(), n.onError && await E(n.onError, l instanceof Error ? l : new Error(String(l)), "signOut"), {
-          success: !1,
-          error: l instanceof Error ? l.message : "Sign out failed"
-        };
-      }
-    },
-    /**
-     * Request password reset
-     */
-    async resetPassword(l) {
-      if (!t.resetPassword)
-        throw new Error("Password reset is not configured. Provide resetPassword action in config.");
-      try {
-        return await t.resetPassword(l);
-      } catch (d) {
-        return n.onError && await E(n.onError, d instanceof Error ? d : new Error(String(d)), "resetPassword"), {
-          success: !1,
-          error: d instanceof Error ? d.message : "Password reset failed"
-        };
-      }
-    },
-    /**
-     * Verify email address
-     */
-    async verifyEmail(l) {
-      if (!t.verifyEmail)
-        throw new Error("Email verification is not configured. Provide verifyEmail action in config.");
-      try {
-        return await t.verifyEmail(l);
-      } catch (d) {
-        return n.onError && await E(n.onError, d instanceof Error ? d : new Error(String(d)), "verifyEmail"), {
-          success: !1,
-          error: d instanceof Error ? d.message : "Email verification failed"
-        };
-      }
-    },
-    /**
-     * Refresh session
-     * Executes custom refreshSession action with improved error handling and callbacks
-     */
-    async refreshSession() {
-      if (!t.refreshSession)
-        return this.getSession();
-      try {
-        const l = await t.refreshSession();
-        if (l && F(l)) {
-          if (await v.setSession(l), n.onSessionUpdate) {
-            const d = await E(n.onSessionUpdate, l);
-            if (d && F(d)) {
-              if (await v.setSession(d), n.onTokenRefresh) {
-                const g = await this.getSession();
-                g && await E(n.onTokenRefresh, g, d);
-              }
-              return d;
-            }
-          }
-          if (n.onTokenRefresh) {
-            const d = await this.getSession();
-            d && await E(n.onTokenRefresh, d, l);
-          }
-          return l;
-        } else if (l && !F(l))
-          return await v.clearSessionCookie(), v.clearCache(), null;
-        return null;
-      } catch (l) {
-        return await v.clearSessionCookie(), v.clearCache(), n.onError && await E(n.onError, l instanceof Error ? l : new Error(String(l)), "refreshSession"), null;
-      }
-    },
-    /**
-     * OAuth callback handler
-     * ✅ Auto-generated if providers.oauth is configured in config
-     */
-    async oauthCallback(l, d, g) {
-      if (!u.oauthCallback)
-        throw new Error(
-          "OAuth callback is not configured. Either provide oauthCallback action, or configure providers.oauth in config."
-        );
-      if (!d || !g)
-        return {
-          success: !1,
-          error: "Missing required OAuth parameters (code or state)",
-          errorCode: m.VALIDATION_ERROR
-        };
-      let R = l;
-      if (!R) {
-        const C = await Promise.resolve(c.get(g));
-        if (C && C.provider)
-          R = C.provider;
-        else
-          return {
-            success: !1,
-            error: "Provider is required and could not be extracted from state",
-            errorCode: m.VALIDATION_ERROR
-          };
-      }
-      if (!await f(g, R))
-        return {
-          success: !1,
-          error: "Invalid or expired state parameter",
-          errorCode: m.VALIDATION_ERROR
-        };
-      try {
-        return await u.oauthCallback(R, d, g);
-      } catch (C) {
-        return n.onError && await E(n.onError, C instanceof Error ? C : new Error(String(C)), "oauthCallback"), {
-          success: !1,
-          error: C instanceof Error ? C.message : "OAuth callback failed",
-          errorCode: m.NETWORK_ERROR
-        };
-      }
-    },
-    /**
-     * Verify 2FA code after initial sign in
-     * Used when signIn returns requires2FA: true
-     */
-    async verify2FA(l, d) {
-      if (!t.verify2FA)
-        throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
-      try {
-        const g = await t.verify2FA(l);
-        if (g.success && g.session && !(d != null && d.skipCookieSave)) {
-          const R = await p(g);
-          R.success || (process.env.NODE_ENV === "development" && _.debug("Failed to save session cookie after verify2FA", {
-            error: R.error,
-            warning: R.warning
-          }), n.onError && await E(
-            n.onError,
-            new Error(R.warning || R.error || "Failed to save session cookie"),
-            "verify2FA.setSession"
-          ));
-        }
-        return g;
-      } catch (g) {
-        return n.onError && await E(n.onError, g instanceof Error ? g : new Error(String(g)), "verify2FA"), {
-          success: !1,
-          error: g instanceof Error ? g.message : "2FA verification failed",
-          errorCode: m.TWO_FA_REQUIRED
-        };
-      }
-    },
-    /**
-     * Set session directly
-     * Useful for Server Actions that need to save session manually
-     */
-    async setSession(l) {
-      return await v.setSession(l);
-    },
-    /**
-     * Internal method to get session config for Server Actions
-     * Used by verify2FAAction to save session cookie directly
-     * @internal
-     */
-    _getSessionConfig() {
-      return v.getSessionConfig();
-    },
-    _getCallbacks() {
-      return n;
-    },
-    /**
-     * Store OAuth state for validation (useful when using external backend API)
-     * This allows storing state generated by backend APIs in mulguard's state store
-     *
-     * @param state - OAuth state token
-     * @param provider - OAuth provider name
-     */
-    async storeOAuthState(l, d) {
-      await h(l, d);
-    },
-    /**
-     * PassKey methods
-     */
-    passkey: t.passkey ? {
-      register: t.passkey.register,
-      authenticate: async (l) => {
-        var d;
-        if (!((d = t.passkey) != null && d.authenticate))
-          throw new Error("PassKey authenticate is not configured.");
-        try {
-          const g = await t.passkey.authenticate(l);
-          return g.success && g.session && await p(g), g;
-        } catch (g) {
-          return n.onError && await E(n.onError, g instanceof Error ? g : new Error(String(g)), "passkey.authenticate"), {
-            success: !1,
-            error: g instanceof Error ? g.message : "PassKey authentication failed"
-          };
-        }
-      },
-      list: t.passkey.list ? async () => {
-        var d;
-        if (!((d = t.passkey) != null && d.list))
-          throw new Error("PassKey list is not configured.");
-        return [...await t.passkey.list()];
-      } : void 0,
-      remove: t.passkey.remove
-    } : void 0,
-    /**
-     * Two-Factor Authentication methods
-     */
-    twoFactor: t.twoFactor ? {
-      enable: t.twoFactor.enable,
-      verify: t.twoFactor.verify,
-      disable: t.twoFactor.disable,
-      generateBackupCodes: t.twoFactor.generateBackupCodes,
-      isEnabled: t.twoFactor.isEnabled,
-      verify2FA: async (l) => {
-        var g;
-        const d = ((g = t.twoFactor) == null ? void 0 : g.verify2FA) || t.verify2FA;
-        if (!d)
-          throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
-        try {
-          const R = await d(l);
-          if (R.success && R.session) {
-            const I = await p(R);
-            I.success || (process.env.NODE_ENV === "development" && _.debug("Failed to save session cookie after twoFactor.verify2FA", {
-              error: I.error,
-              warning: I.warning
-            }), n.onError && await E(
-              n.onError,
-              new Error(I.warning || I.error || "Failed to save session cookie"),
-              "twoFactor.verify2FA.setSession"
-            ));
-          }
-          return R;
-        } catch (R) {
-          return n.onError && await E(n.onError, R instanceof Error ? R : new Error(String(R)), "twoFactor.verify2FA"), {
-            success: !1,
-            error: R instanceof Error ? R.message : "2FA verification failed",
-            errorCode: m.UNKNOWN_ERROR
-          };
-        }
-      }
-    } : void 0,
-    /**
-     * Sign in methods - alias for signIn (for backward compatibility)
-     */
-    signInMethods: {
-      email: (l) => w.email(l),
-      oauth: (l) => {
-        var d;
-        return ((d = w.oauth) == null ? void 0 : d.call(w, l)) || Promise.reject(new Error("OAuth not configured"));
-      },
-      passkey: (l) => {
-        var d;
-        return ((d = w.passkey) == null ? void 0 : d.call(w, l)) || Promise.reject(new Error("Passkey not configured"));
-      },
-      otp: (l, d) => {
-        var g;
-        return ((g = w.otp) == null ? void 0 : g.call(w, l, d)) || Promise.reject(new Error("OTP not configured"));
-      }
-    }
-  };
-  if (t.refreshSession) {
-    const l = br(
-      async () => await b.refreshSession(),
-      async () => await b.signOut(),
-      async () => {
-        await v.clearSessionCookie(), v.clearCache();
-      },
-      {
-        ...o,
-        onTokenRefreshed: o.onTokenRefreshed,
-        onTokenRefreshFailed: o.onTokenRefreshFailed,
-        onBeforeRedirect: o.onBeforeRedirect
-      }
-    );
-    b._tokenRefreshManager = l, b._getTokenRefreshManager = () => l;
-  }
-  return b;
-}
-function W(e) {
-  if (!e)
-    return e;
-  const { accessToken: r, refreshToken: t, ...n } = e;
-  return n;
-}
-function Bt(e) {
-  return {
-    GET: async (r) => ee(r, e, "GET"),
-    POST: async (r) => ee(r, e, "POST")
-  };
-}
-async function ee(e, r, t) {
-  const n = new URL(e.url), s = zr(n.pathname), i = s.split("/").filter(Boolean);
-  try {
-    return t === "GET" ? await Br(e, r, s, i, n) : t === "POST" ? await $r(e, r, s, i, n) : O("Method not allowed", 405);
-  } catch (o) {
-    return O(
-      o instanceof Error ? o.message : "Request failed",
-      500
-    );
-  }
-}
-function zr(e) {
-  return e.replace(/^\/api\/auth/, "") || "/session";
-}
-async function Br(e, r, t, n, s) {
-  if (t === "/session" || t === "/") {
-    const i = await r.getSession(), o = W(i);
-    return A.json({ session: o });
-  }
-  return t === "/providers" ? A.json({
-    providers: {
-      email: !!r.signIn.email,
-      oauth: !!r.signIn.oauth,
-      passkey: !!r.signIn.passkey
-    }
-  }) : ye(t, n) ? await ke(e, r, t, n, s, "GET") : O("Not found", 404);
-}
-async function $r(e, r, t, n, s) {
-  const i = await Hr(e);
-  return t === "/sign-in" || n[0] === "sign-in" ? await Wr(r, i) : t === "/sign-up" || n[0] === "sign-up" ? await Gr(r, i) : t === "/sign-out" || n[0] === "sign-out" ? await Kr(r) : t === "/reset-password" || n[0] === "reset-password" ? await Xr(r, i) : t === "/verify-email" || n[0] === "verify-email" ? await Jr(r, i) : t === "/refresh" || n[0] === "refresh" ? await Yr(r) : ye(t, n) ? await ke(e, r, t, n, s, "POST", i) : t.startsWith("/passkey") ? await Zr(r, t, n, i) : t === "/verify-2fa" || n[0] === "verify-2fa" ? await Qr(r, i) : t.startsWith("/two-factor") ? await et(r, n, i) : O("Not found", 404);
-}
-async function Hr(e) {
-  try {
-    return await e.json();
-  } catch {
-    return {};
-  }
-}
-function ye(e, r) {
-  return e === "/callback" || e.startsWith("/oauth/callback") || r[0] === "oauth" && r[1] === "callback" || r[0] === "callback";
-}
-async function ke(e, r, t, n, s, i, o) {
-  if (!r.oauthCallback)
-    return i === "GET" ? B(e.url, "oauth_not_configured") : O("OAuth callback is not configured", 400);
-  const a = qr(n, s, o), c = (o == null ? void 0 : o.code) ?? s.searchParams.get("code"), u = (o == null ? void 0 : o.state) ?? s.searchParams.get("state");
-  if (!c || !u)
-    return i === "GET" ? B(e.url, "oauth_missing_params") : O("Missing required OAuth parameters. Code and state are required.", 400);
-  try {
-    const h = await r.oauthCallback(a ?? "", c, u);
-    return i === "GET" ? h.success ? tt(e.url, s.searchParams.get("callbackUrl")) : B(e.url, h.error ?? "oauth_failed") : A.json(h);
-  } catch (h) {
-    return i === "GET" ? B(e.url, h instanceof Error ? h.message : "oauth_error") : O(h instanceof Error ? h.message : "OAuth callback failed", 500);
-  }
-}
-function qr(e, r, t) {
-  return t != null && t.provider ? t.provider : e[0] === "callback" && e[1] ? e[1] : e[0] === "oauth" && e[1] === "callback" && e[2] ? e[2] : r.searchParams.get("provider");
-}
-async function Wr(e, r) {
-  if (r.provider === "email" && r.email && r.password) {
-    const t = {
-      email: r.email,
-      password: r.password
-    }, n = await e.signIn.email(t);
-    return A.json(n);
-  }
-  if (r.provider === "oauth" && r.providerName) {
-    if (!e.signIn.oauth)
-      return O("OAuth is not configured", 400);
-    const t = await e.signIn.oauth(r.providerName);
-    return A.json(t);
-  }
-  if (r.provider === "passkey") {
-    if (!e.signIn.passkey)
-      return O("PassKey is not configured", 400);
-    const t = await e.signIn.passkey(r.options);
-    return A.json(t);
-  }
-  return O("Invalid sign in request", 400);
-}
-async function Gr(e, r) {
-  if (!e.signUp)
-    return O("Sign up is not configured", 400);
-  const t = await e.signUp(r);
-  return A.json(t);
-}
-async function Kr(e) {
-  const r = await e.signOut();
-  return A.json(r);
-}
-async function Xr(e, r) {
-  if (!e.resetPassword)
-    return O("Password reset is not configured", 400);
-  if (!r.email || typeof r.email != "string")
-    return O("Email is required", 400);
-  const t = await e.resetPassword(r.email);
-  return A.json(t);
-}
-async function Jr(e, r) {
-  if (!e.verifyEmail)
-    return O("Email verification is not configured", 400);
-  if (!r.token || typeof r.token != "string")
-    return O("Token is required", 400);
-  const t = await e.verifyEmail(r.token);
-  return A.json(t);
-}
-async function Yr(e) {
-  if (!e.refreshSession) {
-    const n = await e.getSession(), s = W(n);
-    return A.json({ session: s });
-  }
-  const r = await e.refreshSession(), t = W(r);
-  return A.json({ session: t });
-}
-async function Qr(e, r) {
-  if (!e.verify2FA)
-    return O("2FA verification is not configured", 400);
-  if (!r.email || !r.userId || !r.code)
-    return O("Missing required parameters. Email, userId, and code are required.", 400);
-  const t = {
-    email: r.email,
-    userId: r.userId,
-    code: r.code
-  }, n = await e.verify2FA(t);
-  return A.json(n);
-}
-async function Zr(e, r, t, n) {
-  if (!e.passkey)
-    return O("PassKey is not configured", 400);
-  const s = t[1];
-  if (s === "register" && e.passkey.register) {
-    const i = await e.passkey.register(n.options);
-    return A.json(i);
-  }
-  if (s === "list" && e.passkey.list) {
-    const i = await e.passkey.list();
-    return A.json(i);
-  }
-  if (s === "remove" && e.passkey.remove) {
-    if (!n.passkeyId || typeof n.passkeyId != "string")
-      return O("Passkey ID is required", 400);
-    const i = await e.passkey.remove(n.passkeyId);
-    return A.json(i);
-  }
-  return O("Invalid Passkey request", 400);
-}
-async function et(e, r, t) {
-  if (!e.twoFactor)
-    return O("Two-Factor Authentication is not configured", 400);
-  const n = r[1];
-  if (n === "enable" && e.twoFactor.enable) {
-    const s = await e.twoFactor.enable();
-    return A.json(s);
-  }
-  if (n === "verify" && e.twoFactor.verify) {
-    if (!t.code || typeof t.code != "string")
-      return O("Code is required", 400);
-    const s = await e.twoFactor.verify(t.code);
-    return A.json(s);
-  }
-  if (n === "disable" && e.twoFactor.disable) {
-    const s = await e.twoFactor.disable();
-    return A.json(s);
-  }
-  if (n === "backup-codes" && e.twoFactor.generateBackupCodes) {
-    const s = await e.twoFactor.generateBackupCodes();
-    return A.json(s);
-  }
-  if (n === "is-enabled" && e.twoFactor.isEnabled) {
-    const s = await e.twoFactor.isEnabled();
-    return A.json({ enabled: s });
-  }
-  return O("Invalid two-factor request", 400);
-}
-function O(e, r) {
-  return A.json(
-    {
-      success: !1,
-      error: e
-    },
-    { status: r }
-  );
-}
-function B(e, r) {
-  return A.redirect(new URL(`/login?error=${encodeURIComponent(r)}`, e));
-}
-function rt(e, r) {
-  if (!e)
-    return null;
-  try {
-    const t = new URL(e, r), n = new URL(r);
-    return t.protocol !== n.protocol || t.hostname !== n.hostname || t.port !== n.port ? (process.env.NODE_ENV === "development" && console.warn("[Mulguard] Blocked redirect to external URL:", e), null) : t.protocol === "javascript:" || t.protocol === "data:" ? (process.env.NODE_ENV === "development" && console.warn("[Mulguard] Blocked dangerous redirect URL:", e), null) : t.pathname + t.search + t.hash;
-  } catch {
-    return null;
-  }
-}
-function tt(e, r) {
-  const n = rt(r, e) ?? "/";
-  return A.redirect(new URL(n, e));
-}
-function $t(e) {
-  return async (r) => {
-    const { method: t, nextUrl: n } = r, i = n.pathname.replace(/^\/api\/auth/, "") || "/";
-    try {
-      let o;
-      if (t !== "GET" && t !== "HEAD")
-        try {
-          o = await r.json();
-        } catch {
-        }
-      const a = Object.fromEntries(n.searchParams.entries()), c = await fetch(
-        `${process.env.NEXT_PUBLIC_API_URL || ""}/api/auth${i}${Object.keys(a).length > 0 ? `?${new URLSearchParams(a).toString()}` : ""}`,
-        {
-          method: t,
-          headers: {
-            "Content-Type": "application/json",
-            ...Object.fromEntries(r.headers.entries())
-          },
-          body: o ? JSON.stringify(o) : void 0
-        }
-      ), u = await c.json();
-      return A.json(u, {
-        status: c.status,
-        headers: {
-          ...Object.fromEntries(c.headers.entries())
-        }
-      });
-    } catch (o) {
-      return console.error("API handler error:", o), A.json(
-        {
-          success: !1,
-          error: o instanceof Error ? o.message : "Internal server error"
-        },
-        { status: 500 }
-      );
-    }
-  };
-}
-function $(e, r) {
-  const t = ne({
-    // Customize headers if needed
-    "X-Frame-Options": "SAMEORIGIN"
-    // Allow same-origin framing
-  });
-  for (const [n, s] of Object.entries(t))
-    s && typeof s == "string" && r.headers.set(n, s);
-  return r;
-}
-function nt(e) {
-  const {
-    auth: r,
-    protectedRoutes: t = [],
-    // publicRoutes is reserved for future use
-    redirectTo: n = "/login",
-    redirectIfAuthenticated: s,
-    apiPrefix: i = "/api/auth",
-    enableSecurityHeaders: o = !0
-  } = e;
-  return async (a) => {
-    const { pathname: c } = a.nextUrl;
-    if (c.startsWith(i)) {
-      const y = A.next();
-      return o ? $(a, y) : y;
-    }
-    if (c.startsWith("/_next/") || c.startsWith("/api/") || c.match(/\.(ico|png|jpg|jpeg|svg|gif|webp|css|js|woff|woff2|ttf|eot)$/))
-      return A.next();
-    const u = t.length > 0 ? t.some((y) => c.startsWith(y)) : !1;
-    let h = null;
-    if (u || s)
-      try {
-        h = await r.getSession();
-      } catch (y) {
-        process.env.NODE_ENV === "development" && console.error("Proxy: Failed to get session:", y);
-      }
-    if (u && !h) {
-      const y = a.nextUrl.clone();
-      y.pathname = n, y.searchParams.set("callbackUrl", c);
-      const E = A.redirect(y);
-      return o ? $(a, E) : E;
-    }
-    if (s && h && (c.startsWith("/login") || c.startsWith("/register") || c.startsWith("/signup") || c.startsWith("/sign-in"))) {
-      const E = a.nextUrl.clone();
-      E.pathname = s;
-      const v = A.redirect(E);
-      return o ? $(a, v) : v;
-    }
-    const f = A.next();
-    return o ? $(a, f) : f;
-  };
-}
-async function st(e, r) {
-  try {
-    const t = await e.getSession();
-    return t ? (t.user.roles || []).includes(r) : !1;
-  } catch {
-    return !1;
-  }
-}
-function Ht(e, r) {
-  const t = nt(e);
-  return async (n) => {
-    var o;
-    const { pathname: s } = n.nextUrl;
-    return ((o = e.protectedRoutes) == null ? void 0 : o.some(
-      (a) => s.startsWith(a)
-    )) && !await st(e.auth, r) ? A.json({ error: "Forbidden" }, { status: 403 }) : t(n);
-  };
-}
-export {
-  Ke as CSRFProtection,
-  Ne as DEFAULT_SECURITY_HEADERS,
-  Ge as MemoryCSRFStore,
-  kr as MemoryOAuthStateStore,
-  pr as MemoryPKCEStorage,
-  Sr as OAuthHandler,
-  Pe as RateLimiter,
-  Qt as SessionExpiredError,
-  lt as applySecurityHeaders,
-  Re as buildCookieOptions,
-  de as buildOAuthAuthorizationUrl,
-  st as checkRole,
-  At as containsXSSPattern,
-  $t as createApiHandler,
-  Zt as createAuthenticatedAction,
-  kt as createCSRFProtection,
-  yr as createCookieOAuthStateStore,
-  vr as createMemoryOAuthStateStore,
-  Vt as createNextJsCookieOAuthStateStore,
-  jt as createOAuthHandler,
-  nt as createProxyMiddleware,
-  ut as createRateLimiter,
-  Mt as createRedisOAuthStateStore,
-  Ht as createRoleBasedProxy,
-  en as createServerAction,
-  Ae as deleteCookie,
-  rn as deleteOAuthStateCookie,
-  Xe as escapeHTML,
-  he as exchangeOAuthCode,
-  ue as generateCSRFToken,
-  pe as generateCodeChallenge,
-  hr as generateCodeVerifier,
-  gr as generatePKCECodePair,
-  ce as generateToken,
-  Te as getCookie,
-  tn as getCurrentUser,
-  Ct as getErrorCode,
-  bt as getErrorMessage,
-  nn as getOAuthStateCookie,
-  ge as getOAuthUserInfo,
-  K as getProviderMetadata,
-  ne as getSecurityHeaders,
-  sn as getServerSession,
-  on as getServerUser,
-  an as getSessionTimeUntilExpiry,
-  Nt as getUserFriendlyError,
-  ge as getUserProfile,
-  xt as hasErrorCode,
-  Ye as isAuthError,
-  It as isAuthSuccess,
-  cn as isAuthenticated,
-  Ft as isOAuthProviderConfig,
-  Pt as isRetryableError,
-  un as isSessionExpiredNullable,
-  ln as isSessionExpiringSoon,
-  fn as isSessionValid,
-  Dt as isSupportedProvider,
-  _t as isTwoFactorRequired,
-  Rt as isValidCSRFToken,
-  Tt as isValidEmail,
-  yt as isValidInput,
-  gt as isValidName,
-  dt as isValidPassword,
-  Et as isValidToken,
-  pt as isValidURL,
-  zt as mulguard,
-  dn as requireAuth,
-  hn as requireRole,
-  vt as sanitizeHTML,
-  Ot as sanitizeInput,
-  St as sanitizeUserInput,
-  Oe as setCookie,
-  Ut as signIn,
-  Gt as signInEmailAction,
-  Kt as signOutAction,
-  Xt as signUpAction,
-  gn as storeOAuthStateCookie,
-  Bt as toNextJsHandler,
-  se as validateAndSanitizeEmail,
-  oe as validateAndSanitizeInput,
-  ht as validateAndSanitizeName,
-  ft as validateAndSanitizePassword,
-  le as validateCSRFToken,
-  F as validateSessionStructure,
-  mt as validateToken,
-  wt as validateURL,
-  Jt as verify2FAAction,
-  Lt as verifyPKCECode,
-  $ as withSecurityHeaders
-};