najm-auth 1.1.23 → 1.1.24

package/dist/{FetchClient-DadnuVF7.d.ts → NajmAuthClient-D08--i69.d.ts}

@@ -153,4 +153,87 @@ declare class FetchClient {
     private parseBody;
 }
 
-export { AuthError as A, type DecodedToken as D, FetchClient as F, type RetryConfig as R, type SyncPayload as S, type TabSyncMessage as T, type AuthClientConfig as a, type AuthEventMap as b, type AuthState as c, type AuthUser as d, type AuthEvent as e, type AuthEventHandler as f, type ServerResponse as g, type TokenPair as h, type RequestOptions as i };
+interface HydrateSession {
+    user: AuthUser | null;
+    accessToken?: string | null;
+    roles?: string[];
+    permissions?: string[];
+}
+declare class NajmAuthClient {
+    private config;
+    private static readonly MAX_REFRESH_FAILURES;
+    private static readonly CIRCUIT_RESET_MS;
+    private state;
+    private refreshTimer;
+    private refreshCircuitTimer;
+    private refreshPromise;
+    private fetchUserPromise;
+    private refreshFailures;
+    private _hydrated;
+    private listeners;
+    private eventListeners;
+    private tabSync;
+    api: FetchClient;
+    private readonly prefix;
+    private readonly threshold;
+    constructor(config: AuthClientConfig);
+    login(credentials: {
+        email: string;
+        password: string;
+    }): Promise<AuthUser>;
+    register(data: Record<string, unknown>): Promise<AuthUser>;
+    logout(): Promise<void>;
+    refresh(): Promise<void>;
+    fetchUser(): Promise<AuthUser | null>;
+    private _doFetchUser;
+    forgotPassword(data: {
+        email: string;
+    }): Promise<void>;
+    changePassword(data: {
+        currentPassword: string;
+        newPassword: string;
+    }): Promise<void>;
+    resetPassword(data: {
+        token: string;
+        newPassword: string;
+    }): Promise<void>;
+    can(permission: string): boolean;
+    hasRole(role: string): boolean;
+    hasAnyRole(roles: string[]): boolean;
+    hasPermission(permission: string): boolean;
+    getUser(): AuthUser | null;
+    getAccessToken(): string | null;
+    isAuthenticated(): boolean;
+    getState(): AuthState;
+    /**
+     * Hydrate the client with a session resolved server-side.
+     * Use to skip the initial loading flicker on SSR-rendered pages.
+     * Safe to call multiple times — subsequent calls are no-ops.
+     */
+    hydrate(session: HydrateSession | null): void;
+    isHydrated(): boolean;
+    on<K extends AuthEvent>(event: K, handler: AuthEventHandler<K>): void;
+    off<K extends AuthEvent>(event: K, handler: AuthEventHandler<K>): void;
+    subscribe(listener: (state: AuthState) => void): () => void;
+    destroy(): void;
+    private _refreshWithCircuit;
+    private _doRefresh;
+    private handleUnauthorized;
+    private applyTokens;
+    private scheduleRefresh;
+    private clearRefreshTimer;
+    private clearRefreshCircuitTimer;
+    private resetRefreshFailures;
+    private registerRefreshFailure;
+    private resetState;
+    private getSyncPayload;
+    private handleTabMessage;
+    private notify;
+    private emit;
+}
+/**
+ * Factory function to create an auth client.
+ */
+declare function createAuthClient(config: AuthClientConfig): NajmAuthClient;
+
+export { AuthError as A, type DecodedToken as D, FetchClient as F, type HydrateSession as H, NajmAuthClient as N, type RetryConfig as R, type SyncPayload as S, type TabSyncMessage as T, type AuthClientConfig as a, type AuthEventMap as b, createAuthClient as c, type AuthState as d, type AuthUser as e, type AuthEvent as f, type AuthEventHandler as g, type ServerResponse as h, type TokenPair as i, type RequestOptions as j };

package/dist/client/index.d.ts

@@ -1,6 +1,5 @@
-export { H as HydrateSession, N as NajmAuthClient, c as createAuthClient } from '../NajmAuthClient-CZHKl4ri.js';
-import { D as DecodedToken, T as TabSyncMessage, S as SyncPayload } from '../FetchClient-DadnuVF7.js';
-export { a as AuthClientConfig, A as AuthError, e as AuthEvent, f as AuthEventHandler, b as AuthEventMap, c as AuthState, d as AuthUser, F as FetchClient, i as RequestOptions, R as RetryConfig, g as ServerResponse, h as TokenPair } from '../FetchClient-DadnuVF7.js';
+import { D as DecodedToken, T as TabSyncMessage, S as SyncPayload } from '../NajmAuthClient-D08--i69.js';
+export { a as AuthClientConfig, A as AuthError, f as AuthEvent, g as AuthEventHandler, b as AuthEventMap, d as AuthState, e as AuthUser, F as FetchClient, H as HydrateSession, N as NajmAuthClient, j as RequestOptions, R as RetryConfig, h as ServerResponse, i as TokenPair, c as createAuthClient } from '../NajmAuthClient-D08--i69.js';
 
 /**
  * Decode a JWT token payload without verification.

package/dist/client/react/index.d.ts

@@ -1,8 +1,7 @@
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import * as react from 'react';
 import { ReactNode, CSSProperties, ReactElement } from 'react';
-import { N as NajmAuthClient, H as HydrateSession } from '../../NajmAuthClient-CZHKl4ri.js';
-import { c as AuthState, d as AuthUser, A as AuthError, e as AuthEvent, b as AuthEventMap } from '../../FetchClient-DadnuVF7.js';
+import { N as NajmAuthClient, H as HydrateSession, d as AuthState, e as AuthUser, A as AuthError, f as AuthEvent, b as AuthEventMap } from '../../NajmAuthClient-D08--i69.js';
 
 interface AuthProviderProps {
     client: NajmAuthClient;

package/dist/client/server/index.d.ts

@@ -1,4 +1,4 @@
-import { d as AuthUser, F as FetchClient } from '../../FetchClient-DadnuVF7.js';
+import { e as AuthUser, F as FetchClient, R as RetryConfig, N as NajmAuthClient } from '../../NajmAuthClient-D08--i69.js';
 import * as next_server from 'next/server';
 
 interface GetServerSessionOptions {
@@ -202,6 +202,18 @@ interface DefineAuthConfig {
     apiBaseURL?: string;
     /** Auth prefix appended to apiBaseURL (default: '/auth') */
     authPrefix?: string;
+    /** Refresh token cookie name (default: 'refreshToken') */
+    cookieName?: string;
+    /** Proactive refresh at this fraction of token lifetime (default: 0.8) */
+    refreshThreshold?: number;
+    /** Enable multi-tab sync via BroadcastChannel (default: true) */
+    tabSync?: boolean;
+    /** BroadcastChannel name (default: 'najm-auth') */
+    channelName?: string;
+    /** Request timeout in milliseconds (default: 30000) */
+    timeout?: number;
+    /** Network retry configuration */
+    retry?: RetryConfig;
     /** Route to redirect unauthenticated users (default: '/login') */
     loginRoute?: string;
     /** Route to redirect after login (default: '/dashboard') */
@@ -212,8 +224,6 @@ interface DefineAuthConfig {
     protectedRoutes?: string[];
     /** Routes restricted to specific roles: { '/admin/:path*': ['admin'] } */
     roleRoutes?: Record<string, string[]>;
-    /** Refresh token cookie name (default: 'refreshToken') */
-    cookieName?: string;
     /** Session cookie name (default: 'najm.session') */
     sessionCookieName?: string;
     /** Secret for verifying session cookie HMAC. Falls back to env vars. */
@@ -222,6 +232,15 @@ interface DefineAuthConfig {
     matcher?: string[];
 }
 interface AuthKit {
+    /**
+     * Browser auth client — lazily instantiated on first access.
+     *
+     * Safe to touch from server/edge runtimes (constructor is runtime-guarded),
+     * but intended for client-side use via `<AuthProvider client={auth.client}>`.
+     */
+    readonly client: NajmAuthClient;
+    /** Shortcut for `client.api` — the underlying FetchClient with auth attached. */
+    readonly api: FetchClient;
     /** Resolve session — reads signed cookie first (instant), falls back to /auth/me */
     getSession: (opts?: Pick<GetSessionConfig, 'mode'>) => Promise<ServerSession | null>;
     /** Require session — throws if unauthenticated */

package/dist/client/server/index.js

@@ -460,6 +460,421 @@ function withAuth(Page, options = {}) {
 }
 __name(withAuth, "withAuth");
 
+// src/client/tokenDecoder.ts
+function decodeToken(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    const json = typeof atob === "function" ? atob(payload) : Buffer.from(payload, "base64").toString("utf-8");
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
+__name(decodeToken, "decodeToken");
+function getTokenTTL(decoded) {
+  if (!decoded.exp) return 0;
+  return Math.max(0, decoded.exp - Date.now() / 1e3);
+}
+__name(getTokenTTL, "getTokenTTL");
+
+// src/client/NajmAuthClient.ts
+init_permissions();
+
+// src/client/tabSync.ts
+var TabSync = class {
+  constructor(channelName, onMessage) {
+    this.onMessage = onMessage;
+    this.channel = new BroadcastChannel(channelName);
+    this.channel.onmessage = (e) => this.onMessage(e.data);
+  }
+  static {
+    __name(this, "TabSync");
+  }
+  channel;
+  broadcastSync(state) {
+    this.channel.postMessage({ type: "sync", state });
+  }
+  broadcastLogout() {
+    this.channel.postMessage({ type: "logout" });
+  }
+  destroy() {
+    this.channel.close();
+  }
+};
+
+// src/client/NajmAuthClient.ts
+var INITIAL_STATE = {
+  user: null,
+  accessToken: null,
+  isAuthenticated: false,
+  isLoading: false,
+  roles: [],
+  permissions: []
+};
+var NajmAuthClient = class _NajmAuthClient {
+  constructor(config) {
+    this.config = config;
+    this.prefix = config.authPrefix ?? "/auth";
+    this.threshold = config.refreshThreshold ?? 0.8;
+    this.api = new FetchClient({
+      baseURL: config.baseURL,
+      credentials: "include",
+      timeout: config.timeout ?? 3e4,
+      getToken: /* @__PURE__ */ __name(() => this.state.accessToken, "getToken"),
+      onUnauthorized: /* @__PURE__ */ __name(() => this.handleUnauthorized(), "onUnauthorized"),
+      retry: config.retry
+    });
+    if (config.tabSync !== false && typeof BroadcastChannel !== "undefined") {
+      const name = config.channelName ?? "najm-auth";
+      this.tabSync = new TabSync(name, (msg) => this.handleTabMessage(msg));
+    }
+  }
+  static {
+    __name(this, "NajmAuthClient");
+  }
+  static MAX_REFRESH_FAILURES = 3;
+  static CIRCUIT_RESET_MS = 6e4;
+  state = { ...INITIAL_STATE };
+  refreshTimer = null;
+  refreshCircuitTimer = null;
+  refreshPromise = null;
+  fetchUserPromise = null;
+  refreshFailures = 0;
+  _hydrated = false;
+  // Subscriptions (for React useSyncExternalStore)
+  listeners = /* @__PURE__ */ new Set();
+  eventListeners = /* @__PURE__ */ new Map();
+  // Multi-tab sync
+  tabSync = null;
+  // Public fetch client
+  api;
+  prefix;
+  threshold;
+  // =========================================================================
+  // Auth Operations
+  // =========================================================================
+  async login(credentials) {
+    const res = await this.api.post(
+      `${this.prefix}/login`,
+      { body: credentials, skipAuth: true }
+    );
+    this.applyTokens(res.data);
+    if (res.data.user) {
+      this.state = { ...this.state, user: res.data.user };
+      this.notify();
+    } else {
+      await this.fetchUser();
+    }
+    this.tabSync?.broadcastSync(this.getSyncPayload());
+    this.emit("login", this.state.user);
+    return this.state.user;
+  }
+  async register(data) {
+    const res = await this.api.post(
+      `${this.prefix}/register`,
+      { body: data, skipAuth: true }
+    );
+    return res.data;
+  }
+  async logout() {
+    this.resetState();
+    this.tabSync?.broadcastLogout();
+    this.emit("logout", null);
+    try {
+      await this.api.post(`${this.prefix}/logout`);
+    } catch (err) {
+      this.emit("logoutError", err);
+    }
+  }
+  async refresh() {
+    if (this.refreshFailures >= _NajmAuthClient.MAX_REFRESH_FAILURES) {
+      throw new Error("Session expired (circuit open)");
+    }
+    if (!this.refreshPromise) {
+      this.refreshPromise = this._refreshWithCircuit().finally(() => {
+        this.refreshPromise = null;
+      });
+    }
+    return this.refreshPromise;
+  }
+  async fetchUser() {
+    if (!this.fetchUserPromise) {
+      this.fetchUserPromise = this._doFetchUser().finally(() => {
+        this.fetchUserPromise = null;
+      });
+    }
+    return this.fetchUserPromise;
+  }
+  async _doFetchUser() {
+    try {
+      const res = await this.api.get(`${this.prefix}/me`);
+      this.state = { ...this.state, user: res.data };
+      this.notify();
+      this.emit("userUpdated", res.data);
+      return res.data;
+    } catch {
+      return null;
+    }
+  }
+  async forgotPassword(data) {
+    await this.api.post(`${this.prefix}/forgot-password`, { body: data, skipAuth: true });
+  }
+  async changePassword(data) {
+    await this.api.post(`${this.prefix}/change-password`, { body: data });
+    this.resetState();
+    this.tabSync?.broadcastLogout();
+    this.emit("logout", null);
+  }
+  async resetPassword(data) {
+    await this.api.post(`${this.prefix}/reset-password`, { body: data, skipAuth: true });
+  }
+  // =========================================================================
+  // Permissions (decoded from JWT — instant, no round-trip)
+  // =========================================================================
+  can(permission) {
+    return matchPermission(this.state.permissions, permission);
+  }
+  hasRole(role) {
+    return hasRole(this.state.roles, role);
+  }
+  hasAnyRole(roles) {
+    return hasAnyRole(this.state.roles, roles);
+  }
+  hasPermission(permission) {
+    return this.can(permission);
+  }
+  // =========================================================================
+  // State Access
+  // =========================================================================
+  getUser() {
+    return this.state.user;
+  }
+  getAccessToken() {
+    return this.state.accessToken;
+  }
+  isAuthenticated() {
+    return this.state.isAuthenticated;
+  }
+  getState() {
+    return this.state;
+  }
+  // =========================================================================
+  // Hydration (SSR)
+  // =========================================================================
+  /**
+   * Hydrate the client with a session resolved server-side.
+   * Use to skip the initial loading flicker on SSR-rendered pages.
+   * Safe to call multiple times — subsequent calls are no-ops.
+   */
+  hydrate(session) {
+    if (this._hydrated) return;
+    this._hydrated = true;
+    this.resetRefreshFailures();
+    if (!session || !session.user) {
+      this.state = { ...INITIAL_STATE };
+      this.notify();
+      return;
+    }
+    this.state = {
+      ...this.state,
+      user: session.user,
+      accessToken: session.accessToken ?? null,
+      isAuthenticated: true,
+      isLoading: false,
+      roles: session.roles ?? (session.user.role ? [session.user.role] : []),
+      permissions: session.permissions ?? session.user.permissions ?? []
+    };
+    if (session.accessToken) {
+      const decoded = decodeToken(session.accessToken);
+      if (decoded) {
+        if (!session.roles && decoded.roles) this.state.roles = decoded.roles;
+        if (!session.permissions && decoded.permissions) this.state.permissions = decoded.permissions;
+        this.scheduleRefresh(decoded);
+      }
+    }
+    this.notify();
+  }
+  isHydrated() {
+    return this._hydrated;
+  }
+  // =========================================================================
+  // Events
+  // =========================================================================
+  on(event, handler) {
+    if (!this.eventListeners.has(event)) this.eventListeners.set(event, /* @__PURE__ */ new Set());
+    this.eventListeners.get(event).add(handler);
+  }
+  off(event, handler) {
+    this.eventListeners.get(event)?.delete(handler);
+  }
+  // =========================================================================
+  // Subscribe (for React useSyncExternalStore)
+  // =========================================================================
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => this.listeners.delete(listener);
+  }
+  // =========================================================================
+  // Cleanup
+  // =========================================================================
+  destroy() {
+    this.clearRefreshTimer();
+    this.clearRefreshCircuitTimer();
+    this.tabSync?.destroy();
+    this.tabSync = null;
+    this.refreshFailures = 0;
+    this.state = { ...INITIAL_STATE };
+    this.listeners.clear();
+    this.eventListeners.clear();
+  }
+  // =========================================================================
+  // Internals
+  // =========================================================================
+  async _refreshWithCircuit() {
+    try {
+      await this._doRefresh();
+      this.resetRefreshFailures();
+    } catch (err) {
+      const shouldOpenCircuit = this.registerRefreshFailure(err);
+      if (shouldOpenCircuit) {
+        this.resetState();
+        this.emit("sessionExpired", null);
+        if (err instanceof AuthError && err.status === 401) {
+          throw new Error("Session expired");
+        }
+        throw new Error("Session expired (circuit open)");
+      }
+      throw err;
+    }
+  }
+  async _doRefresh() {
+    const res = await this.api.post(
+      `${this.prefix}/refresh`,
+      { skipAuth: true }
+    );
+    this.applyTokens(res.data);
+    this.tabSync?.broadcastSync(this.getSyncPayload());
+    this.emit("tokenRefresh", null);
+  }
+  async handleUnauthorized() {
+    try {
+      await this.refresh();
+      return this.state.accessToken;
+    } catch {
+      return null;
+    }
+  }
+  applyTokens(tokens) {
+    this.resetRefreshFailures();
+    const decoded = decodeToken(tokens.accessToken);
+    this.state = {
+      ...this.state,
+      accessToken: tokens.accessToken,
+      isAuthenticated: true,
+      isLoading: false,
+      roles: decoded?.roles ?? [],
+      permissions: decoded?.permissions ?? []
+    };
+    if (decoded) this.scheduleRefresh(decoded);
+    this.notify();
+  }
+  scheduleRefresh(decoded) {
+    this.clearRefreshTimer();
+    const ttl = getTokenTTL(decoded);
+    if (ttl <= 0) return;
+    const delay = ttl * this.threshold * 1e3;
+    this.refreshTimer = setTimeout(() => this.refresh().catch(() => {
+    }), delay);
+  }
+  clearRefreshTimer() {
+    if (this.refreshTimer) {
+      clearTimeout(this.refreshTimer);
+      this.refreshTimer = null;
+    }
+  }
+  clearRefreshCircuitTimer() {
+    if (this.refreshCircuitTimer) {
+      clearTimeout(this.refreshCircuitTimer);
+      this.refreshCircuitTimer = null;
+    }
+  }
+  resetRefreshFailures() {
+    this.refreshFailures = 0;
+    this.clearRefreshCircuitTimer();
+  }
+  registerRefreshFailure(err) {
+    if (err instanceof AuthError && err.status === 401) {
+      this.refreshFailures = _NajmAuthClient.MAX_REFRESH_FAILURES;
+    } else {
+      this.refreshFailures += 1;
+    }
+    if (this.refreshFailures >= _NajmAuthClient.MAX_REFRESH_FAILURES) {
+      this.clearRefreshCircuitTimer();
+      this.refreshCircuitTimer = setTimeout(() => {
+        this.refreshFailures = 0;
+        this.refreshCircuitTimer = null;
+      }, _NajmAuthClient.CIRCUIT_RESET_MS);
+      return true;
+    }
+    return false;
+  }
+  resetState() {
+    this.clearRefreshTimer();
+    this.state = { ...INITIAL_STATE };
+    this.notify();
+  }
+  getSyncPayload() {
+    return {
+      accessToken: this.state.accessToken,
+      user: this.state.user,
+      roles: this.state.roles,
+      permissions: this.state.permissions,
+      isAuthenticated: this.state.isAuthenticated
+    };
+  }
+  handleTabMessage(msg) {
+    switch (msg.type) {
+      case "logout":
+        this.clearRefreshTimer();
+        this.state = { ...INITIAL_STATE };
+        this.notify();
+        this.emit("logout", null);
+        break;
+      case "sync":
+        this.state = {
+          ...this.state,
+          accessToken: msg.state.accessToken,
+          user: msg.state.user,
+          roles: msg.state.roles,
+          permissions: msg.state.permissions,
+          isAuthenticated: msg.state.isAuthenticated,
+          isLoading: false
+        };
+        if (msg.state.accessToken) {
+          const decoded = decodeToken(msg.state.accessToken);
+          if (decoded) this.scheduleRefresh(decoded);
+        }
+        this.notify();
+        break;
+    }
+  }
+  notify() {
+    this.listeners.forEach((l) => l(this.state));
+  }
+  emit(event, data) {
+    this.eventListeners.get(event)?.forEach((h) => h(data));
+    if (event !== "stateChange") {
+      this.eventListeners.get("stateChange")?.forEach((h) => h(this.state));
+    }
+  }
+};
+function createAuthClient(config) {
+  return new NajmAuthClient(config);
+}
+__name(createAuthClient, "createAuthClient");
+
 // src/client/server/defineAuth.ts
 function matchesAny2(pathname, patterns) {
   return patterns.some((p) => matchPattern2(pathname, p));
@@ -493,7 +908,12 @@ function defineAuth(authConfig = {}) {
     cookieName = "refreshToken",
     sessionCookieName = "najm.session",
     sessionSecret,
-    matcher = ["/((?!_next/static|_next/image|favicon.ico|api).*)"]
+    matcher = ["/((?!_next/static|_next/image|favicon.ico|api).*)"],
+    refreshThreshold,
+    tabSync,
+    channelName,
+    timeout,
+    retry
   } = authConfig;
   const sessionConfig = {
     baseURL: void 0,
@@ -503,6 +923,20 @@ function defineAuth(authConfig = {}) {
     sessionCookieName,
     sessionSecret
   };
+  let _client = null;
+  const getClient = /* @__PURE__ */ __name(() => {
+    if (_client) return _client;
+    _client = createAuthClient({
+      baseURL: apiBaseURL,
+      authPrefix,
+      refreshThreshold,
+      tabSync,
+      channelName,
+      timeout,
+      retry
+    });
+    return _client;
+  }, "getClient");
   const getSession2 = /* @__PURE__ */ __name(async (opts) => {
     const { getSession: resolveSession } = await Promise.resolve().then(() => (init_getSession(), getSession_exports));
     return resolveSession({ ...sessionConfig, ...opts });
@@ -596,6 +1030,12 @@ function defineAuth(authConfig = {}) {
     }, "ProtectedPage");
   }, "protect");
   return {
+    get client() {
+      return getClient();
+    },
+    get api() {
+      return getClient().api;
+    },
     getSession: getSession2,
     requireSession,
     middleware,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "najm-auth",
-  "version": "1.1.23",
+  "version": "1.1.24",
   "description": "Authentication and authorization library for najm framework",
   "type": "module",
   "files": [

package/dist/NajmAuthClient-CZHKl4ri.d.ts

@@ -1,86 +0,0 @@
-import { F as FetchClient, a as AuthClientConfig, d as AuthUser, c as AuthState, e as AuthEvent, f as AuthEventHandler } from './FetchClient-DadnuVF7.js';
-
-interface HydrateSession {
-    user: AuthUser | null;
-    accessToken?: string | null;
-    roles?: string[];
-    permissions?: string[];
-}
-declare class NajmAuthClient {
-    private config;
-    private static readonly MAX_REFRESH_FAILURES;
-    private static readonly CIRCUIT_RESET_MS;
-    private state;
-    private refreshTimer;
-    private refreshCircuitTimer;
-    private refreshPromise;
-    private fetchUserPromise;
-    private refreshFailures;
-    private _hydrated;
-    private listeners;
-    private eventListeners;
-    private tabSync;
-    api: FetchClient;
-    private readonly prefix;
-    private readonly threshold;
-    constructor(config: AuthClientConfig);
-    login(credentials: {
-        email: string;
-        password: string;
-    }): Promise<AuthUser>;
-    register(data: Record<string, unknown>): Promise<AuthUser>;
-    logout(): Promise<void>;
-    refresh(): Promise<void>;
-    fetchUser(): Promise<AuthUser | null>;
-    private _doFetchUser;
-    forgotPassword(data: {
-        email: string;
-    }): Promise<void>;
-    changePassword(data: {
-        currentPassword: string;
-        newPassword: string;
-    }): Promise<void>;
-    resetPassword(data: {
-        token: string;
-        newPassword: string;
-    }): Promise<void>;
-    can(permission: string): boolean;
-    hasRole(role: string): boolean;
-    hasAnyRole(roles: string[]): boolean;
-    hasPermission(permission: string): boolean;
-    getUser(): AuthUser | null;
-    getAccessToken(): string | null;
-    isAuthenticated(): boolean;
-    getState(): AuthState;
-    /**
-     * Hydrate the client with a session resolved server-side.
-     * Use to skip the initial loading flicker on SSR-rendered pages.
-     * Safe to call multiple times — subsequent calls are no-ops.
-     */
-    hydrate(session: HydrateSession | null): void;
-    isHydrated(): boolean;
-    on<K extends AuthEvent>(event: K, handler: AuthEventHandler<K>): void;
-    off<K extends AuthEvent>(event: K, handler: AuthEventHandler<K>): void;
-    subscribe(listener: (state: AuthState) => void): () => void;
-    destroy(): void;
-    private _refreshWithCircuit;
-    private _doRefresh;
-    private handleUnauthorized;
-    private applyTokens;
-    private scheduleRefresh;
-    private clearRefreshTimer;
-    private clearRefreshCircuitTimer;
-    private resetRefreshFailures;
-    private registerRefreshFailure;
-    private resetState;
-    private getSyncPayload;
-    private handleTabMessage;
-    private notify;
-    private emit;
-}
-/**
- * Factory function to create an auth client.
- */
-declare function createAuthClient(config: AuthClientConfig): NajmAuthClient;
-
-export { type HydrateSession as H, NajmAuthClient as N, createAuthClient as c };