ofauth-shared-core 0.1.0-alpha.0 → 0.1.0-alpha.1

package/dist/data/schemas.js

@@ -1,109 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ofauthSchema = exports.OFAUTH_TABLES = void 0;
-exports.getOfauthTableSchemas = getOfauthTableSchemas;
-exports.OFAUTH_TABLES = {
-    identities: 'ofauth_identities',
-    assignments: 'ofauth_assignments',
-    sessions: 'ofauth_sessions',
-    policyProfiles: 'ofauth_policy_profiles',
-    policyStepups: 'ofauth_policy_stepups',
-    auditEvents: 'ofauth_audit_events',
-};
-const tableSchemas = [
-    {
-        name: exports.OFAUTH_TABLES.identities,
-        columns: [
-            { name: 'id', type: 'string' },
-            { name: 'principal', type: 'string', isIndexed: true },
-            { name: 'secretHash', type: 'string' },
-            { name: 'verifyMethod', type: 'string', enum: ['pin', 'password', 'custom'] },
-            { name: 'status', type: 'string', enum: ['active', 'disabled', 'locked'], isIndexed: true },
-            { name: 'failedAttempts', type: 'number' },
-            { name: 'lockoutUntil', type: 'string', isOptional: true },
-            { name: 'version', type: 'number' },
-            { name: 'lastModified', type: 'string' },
-            { name: 'deleted', type: 'boolean', isIndexed: true },
-        ],
-    },
-    {
-        name: exports.OFAUTH_TABLES.assignments,
-        columns: [
-            { name: 'id', type: 'string' },
-            { name: 'identityId', type: 'string', isIndexed: true },
-            { name: 'roleRef', type: 'string', isIndexed: true },
-            { name: 'tenantId', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'branchId', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'scopeAttributes', type: 'json', isOptional: true },
-            { name: 'version', type: 'number' },
-            { name: 'lastModified', type: 'string' },
-            { name: 'deleted', type: 'boolean', isIndexed: true },
-        ],
-    },
-    {
-        name: exports.OFAUTH_TABLES.sessions,
-        columns: [
-            { name: 'id', type: 'string' },
-            { name: 'identityId', type: 'string', isIndexed: true },
-            { name: 'activeAssignmentId', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'assuranceLevel', type: 'string', enum: ['basic', 'elevated'], isIndexed: true },
-            { name: 'issuedAt', type: 'string' },
-            { name: 'expiresAt', type: 'string', isIndexed: true },
-            { name: 'revokedAt', type: 'string', isOptional: true },
-            { name: 'version', type: 'number' },
-            { name: 'lastModified', type: 'string' },
-            { name: 'deleted', type: 'boolean', isIndexed: true },
-        ],
-    },
-    {
-        name: exports.OFAUTH_TABLES.policyProfiles,
-        columns: [
-            { name: 'id', type: 'string' },
-            { name: 'profileId', type: 'string', isIndexed: true },
-            { name: 'defaultAssuranceLevel', type: 'string', enum: ['basic', 'elevated'] },
-            { name: 'lockoutPolicyRef', type: 'string' },
-            { name: 'version', type: 'number' },
-            { name: 'lastModified', type: 'string' },
-            { name: 'deleted', type: 'boolean', isIndexed: true },
-        ],
-    },
-    {
-        name: exports.OFAUTH_TABLES.policyStepups,
-        columns: [
-            { name: 'id', type: 'string' },
-            { name: 'actionRef', type: 'string', isIndexed: true },
-            { name: 'requiredAssuranceLevel', type: 'string', enum: ['basic', 'elevated'] },
-            { name: 'reauthWindowSeconds', type: 'number', isOptional: true },
-            { name: 'version', type: 'number' },
-            { name: 'lastModified', type: 'string' },
-            { name: 'deleted', type: 'boolean', isIndexed: true },
-        ],
-    },
-    {
-        name: exports.OFAUTH_TABLES.auditEvents,
-        columns: [
-            { name: 'id', type: 'string' },
-            { name: 'eventType', type: 'string', isIndexed: true },
-            { name: 'identityId', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'sessionId', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'tenantId', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'branchId', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'scopeAttributes', type: 'json', isOptional: true },
-            { name: 'result', type: 'string', enum: ['success', 'failed'], isIndexed: true },
-            { name: 'reasonCode', type: 'string', isOptional: true },
-            { name: 'timestamp', type: 'string', isIndexed: true },
-            { name: 'syncStatus', type: 'string', enum: ['pending', 'replayed'], isIndexed: true },
-            { name: 'replayedAt', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'version', type: 'number' },
-            { name: 'lastModified', type: 'string' },
-            { name: 'deleted', type: 'boolean', isIndexed: true },
-        ],
-    },
-];
-exports.ofauthSchema = {
-    version: 2,
-    tables: tableSchemas,
-};
-function getOfauthTableSchemas() {
-    return exports.ofauthSchema.tables;
-}

package/dist/runtime/ContractStage.js

@@ -1,4 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.OFAUTH_CONTRACT_STAGE = void 0;
-exports.OFAUTH_CONTRACT_STAGE = 'phase1-contract-only';

package/dist/services/AuthAuditService.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/services/AuthHostComposition.js

@@ -1,100 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.loginWithResolvedContext = loginWithResolvedContext;
-exports.refreshResolvedContext = refreshResolvedContext;
-exports.switchContextWithResolvedState = switchContextWithResolvedState;
-exports.evaluateProtectedRouteGate = evaluateProtectedRouteGate;
-const SessionContract_1 = require("../contracts/SessionContract");
-function findAssignment(assignments, assignmentId) {
-    if (!assignmentId)
-        return undefined;
-    return assignments.find((row) => row.assignmentId === assignmentId);
-}
-function isScopeAllowed(scope, policy) {
-    if (policy.requiredTenantId && scope.tenantId !== policy.requiredTenantId)
-        return false;
-    if (policy.requiredBranchId && scope.branchId !== policy.requiredBranchId)
-        return false;
-    if (policy.requiredScopeAttributes) {
-        const attrs = scope.attributes ?? {};
-        for (const [key, value] of Object.entries(policy.requiredScopeAttributes)) {
-            if (attrs[key] !== value)
-                return false;
-        }
-    }
-    return true;
-}
-async function buildResolvedContext(services, input) {
-    const session = await services.sessionService.getActiveSession(input.sessionId);
-    if (!session)
-        return null;
-    const assignments = await services.contextService.listAssignments(input.identityId);
-    let activeContext = await services.contextService.getActiveContext(input.sessionId);
-    if (!activeContext && assignments[0]) {
-        const switched = await services.contextService.switchContext({
-            sessionId: input.sessionId,
-            targetAssignmentId: assignments[0].assignmentId,
-            ...(input.assignmentFallbackReason ? { reasonCode: input.assignmentFallbackReason } : {}),
-        });
-        activeContext = switched.activeContext;
-    }
-    const activeAssignment = findAssignment(assignments, activeContext?.assignmentId);
-    return {
-        sessionId: input.sessionId,
-        identityId: input.identityId,
-        principal: input.principal,
-        assignments,
-        activeContextAssignmentId: activeContext?.assignmentId,
-        activeAssignment,
-        scopeRef: activeContext?.scopeRef ?? activeAssignment?.scopeRef ?? session.activeScopeRef ?? {},
-        roleRef: activeAssignment?.roleRef,
-        assuranceLevel: session.assuranceLevel,
-    };
-}
-async function loginWithResolvedContext(services, input) {
-    const login = await services.identityService.login(input);
-    const resolved = await buildResolvedContext(services, {
-        sessionId: login.sessionId,
-        identityId: login.identity.identityId,
-        principal: login.identity.principal,
-        assignmentFallbackReason: 'AUTO_CONTEXT_AFTER_LOGIN',
-    });
-    if (!resolved) {
-        throw new Error('session is not active after login');
-    }
-    return resolved;
-}
-async function refreshResolvedContext(services, input) {
-    return buildResolvedContext(services, input);
-}
-async function switchContextWithResolvedState(services, input) {
-    await services.contextService.switchContext({
-        sessionId: input.sessionId,
-        targetAssignmentId: input.targetAssignmentId,
-        ...(input.reasonCode ? { reasonCode: input.reasonCode } : {}),
-    });
-    const resolved = await buildResolvedContext(services, input);
-    if (!resolved) {
-        throw new Error('session is not active while switching context');
-    }
-    return resolved;
-}
-function evaluateProtectedRouteGate(resolved, policy = {}) {
-    if (!resolved) {
-        return { allowed: false, reasonCode: 'NO_SESSION' };
-    }
-    const minimumAssurance = policy.minimumAssuranceLevel ?? 'basic';
-    if (!(0, SessionContract_1.isAssuranceLevelAtLeast)(resolved.assuranceLevel, minimumAssurance)) {
-        return { allowed: false, reasonCode: 'ASSURANCE_TOO_LOW' };
-    }
-    if (policy.requiredRoleRefs?.length) {
-        const hasRole = !!resolved.roleRef && policy.requiredRoleRefs.includes(resolved.roleRef);
-        if (!hasRole) {
-            return { allowed: false, reasonCode: 'ROLE_FORBIDDEN' };
-        }
-    }
-    if (!isScopeAllowed(resolved.scopeRef, policy)) {
-        return { allowed: false, reasonCode: 'SCOPE_FORBIDDEN' };
-    }
-    return { allowed: true };
-}

package/dist/services/AuthPolicyService.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/services/ContextService.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/services/IdentityService.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/services/SessionService.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/services/createContractOnlyOfauthServices.js

@@ -1,82 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createContractOnlyOfauthServices = createContractOnlyOfauthServices;
-function notImplemented(message) {
-    const error = {
-        code: 'AUTH_NOT_IMPLEMENTED',
-        message,
-        retryable: false,
-    };
-    throw error;
-}
-function createContractOnlyOfauthServices() {
-    return {
-        identityService: {
-            async verifyCredential() {
-                return notImplemented('identityService.verifyCredential not implemented yet');
-            },
-            async login() {
-                return notImplemented('identityService.login not implemented yet');
-            },
-            async logout() {
-                return notImplemented('identityService.logout not implemented yet');
-            },
-        },
-        sessionService: {
-            async createSession() {
-                return notImplemented('sessionService.createSession not implemented yet');
-            },
-            async refreshSession() {
-                return notImplemented('sessionService.refreshSession not implemented yet');
-            },
-            async revokeSession() {
-                return notImplemented('sessionService.revokeSession not implemented yet');
-            },
-            async getActiveSession() {
-                return notImplemented('sessionService.getActiveSession not implemented yet');
-            },
-        },
-        contextService: {
-            async listAssignments() {
-                return notImplemented('contextService.listAssignments not implemented yet');
-            },
-            async getActiveContext() {
-                return notImplemented('contextService.getActiveContext not implemented yet');
-            },
-            async switchContext() {
-                return notImplemented('contextService.switchContext not implemented yet');
-            },
-        },
-        authPolicyService: {
-            async getPolicySnapshot() {
-                return notImplemented('authPolicyService.getPolicySnapshot not implemented yet');
-            },
-            async getStepUpRequirement() {
-                return notImplemented('authPolicyService.getStepUpRequirement not implemented yet');
-            },
-            async evaluateStepUp() {
-                return notImplemented('authPolicyService.evaluateStepUp not implemented yet');
-            },
-            async enforceStepUp() {
-                return notImplemented('authPolicyService.enforceStepUp not implemented yet');
-            },
-            async markStepUpPassed() {
-                return notImplemented('authPolicyService.markStepUpPassed not implemented yet');
-            },
-        },
-        authAuditService: {
-            async appendEvent() {
-                return notImplemented('authAuditService.appendEvent not implemented yet');
-            },
-            async queryEvents() {
-                return notImplemented('authAuditService.queryEvents not implemented yet');
-            },
-            async listPendingReplay() {
-                return notImplemented('authAuditService.listPendingReplay not implemented yet');
-            },
-            async markReplayed() {
-                return notImplemented('authAuditService.markReplayed not implemented yet');
-            },
-        },
-    };
-}

package/dist/services/createDbAdapterOfauthServices.js

@@ -1,22 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createDbAdapterOfauthServices = createDbAdapterOfauthServices;
-const DbAdapterAuthAuditService_1 = require("./impl/DbAdapterAuthAuditService");
-const DbAdapterAuthPolicyService_1 = require("./impl/DbAdapterAuthPolicyService");
-const DbAdapterContextService_1 = require("./impl/DbAdapterContextService");
-const DbAdapterIdentityService_1 = require("./impl/DbAdapterIdentityService");
-const DbAdapterSessionService_1 = require("./impl/DbAdapterSessionService");
-async function createDbAdapterOfauthServices(db, options = {}) {
-    const authAuditService = new DbAdapterAuthAuditService_1.DbAdapterAuthAuditService(db, options);
-    const sessionService = new DbAdapterSessionService_1.DbAdapterSessionService(db, options);
-    const contextService = new DbAdapterContextService_1.DbAdapterContextService(db, authAuditService);
-    const authPolicyService = new DbAdapterAuthPolicyService_1.DbAdapterAuthPolicyService(db, authAuditService);
-    const identityService = new DbAdapterIdentityService_1.DbAdapterIdentityService(db, options, sessionService, contextService, authAuditService);
-    return {
-        identityService,
-        sessionService,
-        contextService,
-        authPolicyService,
-        authAuditService,
-    };
-}

package/dist/services/errors.js

@@ -1,20 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.OfauthDomainError = void 0;
-exports.unauthorized = unauthorized;
-exports.invalidState = invalidState;
-class OfauthDomainError extends Error {
-    constructor(code, message, retryable = false) {
-        super(message);
-        this.code = code;
-        this.retryable = retryable;
-        this.name = 'OfauthDomainError';
-    }
-}
-exports.OfauthDomainError = OfauthDomainError;
-function unauthorized(code, message) {
-    return new OfauthDomainError(code, message, false);
-}
-function invalidState(message) {
-    return new OfauthDomainError('AUTH_NOT_IMPLEMENTED', message, false);
-}

package/dist/services/impl/DbAdapterAuthAuditService.js

@@ -1,107 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DbAdapterAuthAuditService = void 0;
-const schemas_1 = require("../../data/schemas");
-const runtimeSupport_1 = require("./runtimeSupport");
-class DbAdapterAuthAuditService {
-    constructor(db, options) {
-        this.db = db;
-        this.options = options;
-        this.newId = (0, runtimeSupport_1.makeIdFactory)('auth-audit');
-    }
-    async appendEvent(event) {
-        const row = {
-            id: event.eventId || this.newId(),
-            eventType: event.eventType,
-            identityId: event.identityId ?? null,
-            sessionId: event.sessionId ?? null,
-            tenantId: event.scopeRef?.tenantId ?? null,
-            branchId: event.scopeRef?.branchId ?? null,
-            scopeAttributes: event.scopeRef?.attributes ?? null,
-            result: event.result,
-            reasonCode: event.reasonCode ?? null,
-            timestamp: event.timestamp,
-            syncStatus: event.syncStatus ?? 'pending',
-            replayedAt: event.replayedAt ?? null,
-            version: 1,
-            lastModified: (0, runtimeSupport_1.nowIso)(),
-            deleted: false,
-        };
-        await this.db.create(schemas_1.OFAUTH_TABLES.auditEvents, row);
-        await (0, runtimeSupport_1.emitAuthActivity)(this.options, event);
-    }
-    async queryEvents(query) {
-        const rows = await this.db.query(schemas_1.OFAUTH_TABLES.auditEvents, {
-            filters: { deleted: false },
-            sort: [{ field: 'timestamp', direction: 'desc' }],
-        });
-        return rows
-            .filter((row) => (query.identityId ? row.identityId === query.identityId : true))
-            .filter((row) => (query.sessionId ? row.sessionId === query.sessionId : true))
-            .filter((row) => (query.eventTypes?.length ? query.eventTypes.includes(row.eventType) : true))
-            .filter((row) => (query.fromTimestamp ? row.timestamp >= query.fromTimestamp : true))
-            .filter((row) => (query.toTimestamp ? row.timestamp <= query.toTimestamp : true))
-            .map((row) => ({
-            eventId: row.id,
-            eventType: row.eventType,
-            identityId: row.identityId ?? undefined,
-            sessionId: row.sessionId ?? undefined,
-            scopeRef: row.tenantId || row.branchId || row.scopeAttributes
-                ? {
-                    ...(row.tenantId ? { tenantId: row.tenantId } : {}),
-                    ...(row.branchId ? { branchId: row.branchId } : {}),
-                    ...(row.scopeAttributes ? { attributes: row.scopeAttributes } : {}),
-                }
-                : undefined,
-            result: row.result,
-            reasonCode: row.reasonCode ?? undefined,
-            timestamp: row.timestamp,
-            syncStatus: row.syncStatus ?? 'pending',
-            replayedAt: row.replayedAt ?? undefined,
-        }));
-    }
-    async listPendingReplay(query = {}) {
-        const rows = await this.db.query(schemas_1.OFAUTH_TABLES.auditEvents, {
-            filters: { deleted: false },
-            sort: [{ field: 'timestamp', direction: 'asc' }],
-        });
-        return rows
-            .filter((row) => row.syncStatus !== 'replayed')
-            .slice(0, query.limit ?? rows.length)
-            .map((row) => ({
-            eventId: row.id,
-            eventType: row.eventType,
-            identityId: row.identityId ?? undefined,
-            sessionId: row.sessionId ?? undefined,
-            scopeRef: row.tenantId || row.branchId || row.scopeAttributes
-                ? {
-                    ...(row.tenantId ? { tenantId: row.tenantId } : {}),
-                    ...(row.branchId ? { branchId: row.branchId } : {}),
-                    ...(row.scopeAttributes ? { attributes: row.scopeAttributes } : {}),
-                }
-                : undefined,
-            result: row.result,
-            reasonCode: row.reasonCode ?? undefined,
-            timestamp: row.timestamp,
-            syncStatus: row.syncStatus ?? 'pending',
-            replayedAt: row.replayedAt ?? undefined,
-        }));
-    }
-    async markReplayed(eventIds, replayedAt = (0, runtimeSupport_1.nowIso)()) {
-        let updatedCount = 0;
-        for (const eventId of eventIds) {
-            const row = await this.db.get(schemas_1.OFAUTH_TABLES.auditEvents, eventId);
-            if (!row || row.deleted || row.syncStatus === 'replayed')
-                continue;
-            await this.db.update(schemas_1.OFAUTH_TABLES.auditEvents, eventId, {
-                syncStatus: 'replayed',
-                replayedAt,
-                version: row.version + 1,
-                lastModified: (0, runtimeSupport_1.nowIso)(),
-            });
-            updatedCount += 1;
-        }
-        return updatedCount;
-    }
-}
-exports.DbAdapterAuthAuditService = DbAdapterAuthAuditService;

package/dist/services/impl/DbAdapterAuthPolicyService.js

@@ -1,114 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DbAdapterAuthPolicyService = void 0;
-const SessionContract_1 = require("../../contracts/SessionContract");
-const schemas_1 = require("../../data/schemas");
-const errors_1 = require("../errors");
-const runtimeSupport_1 = require("./runtimeSupport");
-class DbAdapterAuthPolicyService {
-    constructor(db, authAuditService) {
-        this.db = db;
-        this.authAuditService = authAuditService;
-        this.newEventId = (0, runtimeSupport_1.makeIdFactory)('auth-event');
-    }
-    async getActiveSessionOrThrow(sessionId) {
-        const row = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, sessionId);
-        if (!row || row.deleted || row.revokedAt || (0, runtimeSupport_1.isPast)(row.expiresAt)) {
-            throw (0, errors_1.unauthorized)('AUTH_SESSION_NOT_FOUND', 'Session not found');
-        }
-        return row;
-    }
-    async getPolicySnapshot() {
-        const profiles = await this.db.query(schemas_1.OFAUTH_TABLES.policyProfiles, {
-            filters: { deleted: false },
-            sort: [{ field: 'lastModified', direction: 'desc' }],
-        });
-        const stepups = await this.db.query(schemas_1.OFAUTH_TABLES.policyStepups, {
-            filters: { deleted: false },
-            sort: [{ field: 'lastModified', direction: 'desc' }],
-        });
-        return {
-            profiles: profiles.length > 0
-                ? profiles.map((p) => ({
-                    profileId: p.profileId,
-                    defaultAssuranceLevel: p.defaultAssuranceLevel,
-                    lockoutPolicyRef: p.lockoutPolicyRef,
-                }))
-                : (0, runtimeSupport_1.fallbackPolicyProfiles)(),
-            stepUpRequirements: stepups.map((s) => ({
-                actionRef: s.actionRef,
-                requiredAssuranceLevel: s.requiredAssuranceLevel,
-                reauthWindowSeconds: s.reauthWindowSeconds ?? undefined,
-            })),
-            version: '1',
-            updatedAt: (0, runtimeSupport_1.nowIso)(),
-        };
-    }
-    async getStepUpRequirement(actionRef) {
-        const row = await this.db.query(schemas_1.OFAUTH_TABLES.policyStepups, {
-            filters: { actionRef, deleted: false },
-            limit: 1,
-        });
-        if (!row[0])
-            return null;
-        return {
-            actionRef: row[0].actionRef,
-            requiredAssuranceLevel: row[0].requiredAssuranceLevel,
-            reauthWindowSeconds: row[0].reauthWindowSeconds ?? undefined,
-        };
-    }
-    async evaluateStepUp(sessionId, actionRef) {
-        const session = await this.getActiveSessionOrThrow(sessionId);
-        const requirement = await this.getStepUpRequirement(actionRef);
-        const requiredAssuranceLevel = requirement?.requiredAssuranceLevel ?? 'basic';
-        const requiresStepUp = !(0, SessionContract_1.isAssuranceLevelAtLeast)(session.assuranceLevel, requiredAssuranceLevel);
-        return {
-            actionRef,
-            requiredAssuranceLevel,
-            currentAssuranceLevel: session.assuranceLevel,
-            requiresStepUp,
-            reauthWindowSeconds: requirement?.reauthWindowSeconds,
-        };
-    }
-    async enforceStepUp(sessionId, actionRef) {
-        const session = await this.getActiveSessionOrThrow(sessionId);
-        const evalResult = await this.evaluateStepUp(sessionId, actionRef);
-        if (!evalResult.requiresStepUp)
-            return;
-        await this.authAuditService.appendEvent({
-            eventId: this.newEventId(),
-            eventType: 'STEP_UP_CHALLENGED',
-            identityId: session.identityId,
-            sessionId,
-            result: 'failed',
-            reasonCode: 'AUTH_STEP_UP_REQUIRED',
-            timestamp: (0, runtimeSupport_1.nowIso)(),
-        });
-        throw (0, errors_1.unauthorized)('AUTH_STEP_UP_REQUIRED', `Step-up required for action '${actionRef}' (needs ${evalResult.requiredAssuranceLevel})`);
-    }
-    async markStepUpPassed(sessionId, actionRef) {
-        const session = await this.getActiveSessionOrThrow(sessionId);
-        const requirement = await this.getStepUpRequirement(actionRef);
-        const targetAssurance = requirement?.requiredAssuranceLevel ?? 'elevated';
-        await this.db.update(schemas_1.OFAUTH_TABLES.sessions, sessionId, {
-            assuranceLevel: targetAssurance,
-            version: session.version + 1,
-            lastModified: (0, runtimeSupport_1.nowIso)(),
-        });
-        await this.authAuditService.appendEvent({
-            eventId: this.newEventId(),
-            eventType: 'STEP_UP_PASSED',
-            identityId: session.identityId,
-            sessionId,
-            result: 'success',
-            reasonCode: actionRef,
-            timestamp: (0, runtimeSupport_1.nowIso)(),
-        });
-        const active = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, sessionId);
-        const assignment = active ? await (0, runtimeSupport_1.getAssignmentById)(this.db, active.activeAssignmentId) : null;
-        if (!active)
-            throw (0, errors_1.unauthorized)('AUTH_SESSION_NOT_FOUND', 'Session not found');
-        return (0, runtimeSupport_1.toSessionRef)(active, assignment ?? undefined);
-    }
-}
-exports.DbAdapterAuthPolicyService = DbAdapterAuthPolicyService;

package/dist/services/impl/DbAdapterContextService.js

@@ -1,79 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DbAdapterContextService = void 0;
-const schemas_1 = require("../../data/schemas");
-const errors_1 = require("../errors");
-const runtimeSupport_1 = require("./runtimeSupport");
-class DbAdapterContextService {
-    constructor(db, authAuditService) {
-        this.db = db;
-        this.authAuditService = authAuditService;
-        this.newEventId = (0, runtimeSupport_1.makeIdFactory)('auth-event');
-    }
-    async listAssignments(identityId) {
-        const rows = await this.db.query(schemas_1.OFAUTH_TABLES.assignments, {
-            filters: { identityId, deleted: false },
-            sort: [{ field: 'lastModified', direction: 'desc' }],
-        });
-        return rows.map(runtimeSupport_1.toAssignment);
-    }
-    async getActiveContext(sessionId) {
-        const session = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, sessionId);
-        if (!session || session.deleted || session.revokedAt || !session.activeAssignmentId)
-            return null;
-        const assignment = await (0, runtimeSupport_1.getAssignmentById)(this.db, session.activeAssignmentId);
-        if (!assignment)
-            return null;
-        return {
-            sessionId,
-            assignmentId: assignment.id,
-            scopeRef: {
-                ...(assignment.tenantId ? { tenantId: assignment.tenantId } : {}),
-                ...(assignment.branchId ? { branchId: assignment.branchId } : {}),
-                ...(assignment.scopeAttributes ? { attributes: assignment.scopeAttributes } : {}),
-            },
-        };
-    }
-    async switchContext(input) {
-        const session = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, input.sessionId);
-        if (!session || session.deleted || session.revokedAt)
-            throw (0, errors_1.unauthorized)('AUTH_SESSION_NOT_FOUND', 'Session not found');
-        const target = await (0, runtimeSupport_1.getAssignmentById)(this.db, input.targetAssignmentId);
-        if (!target || target.identityId !== session.identityId) {
-            throw (0, errors_1.unauthorized)('AUTH_CONTEXT_FORBIDDEN', 'Requested context is not assigned to this identity');
-        }
-        const updatedSession = await this.db.update(schemas_1.OFAUTH_TABLES.sessions, input.sessionId, {
-            activeAssignmentId: target.id,
-            version: session.version + 1,
-            lastModified: (0, runtimeSupport_1.nowIso)(),
-        });
-        await this.authAuditService.appendEvent({
-            eventId: this.newEventId(),
-            eventType: 'CONTEXT_SWITCHED',
-            identityId: session.identityId,
-            sessionId: input.sessionId,
-            scopeRef: {
-                ...(target.tenantId ? { tenantId: target.tenantId } : {}),
-                ...(target.branchId ? { branchId: target.branchId } : {}),
-                ...(target.scopeAttributes ? { attributes: target.scopeAttributes } : {}),
-            },
-            result: 'success',
-            reasonCode: input.reasonCode,
-            timestamp: updatedSession.lastModified,
-        });
-        return {
-            activeContext: {
-                sessionId: input.sessionId,
-                assignmentId: target.id,
-                scopeRef: {
-                    ...(target.tenantId ? { tenantId: target.tenantId } : {}),
-                    ...(target.branchId ? { branchId: target.branchId } : {}),
-                    ...(target.scopeAttributes ? { attributes: target.scopeAttributes } : {}),
-                },
-            },
-            requiresStepUp: false,
-            reasonCode: input.reasonCode,
-        };
-    }
-}
-exports.DbAdapterContextService = DbAdapterContextService;