sentri 1.1.1 → 1.1.2

package/README.md

@@ -17,6 +17,7 @@ Auth and authorization library for Express + PostgreSQL. Provides JWT-based auth
 - [Programmatic API](#programmatic-api)
 - [Types](#types)
 - [Error Handling](#error-handling)
+- [Migration from 1.0.x](#migration-from-10x)
 
 ---
 
@@ -55,7 +56,7 @@ prisma/
   schema.prisma          ← Prisma models (Prisma only, created or appended)
 ```
 
-### 2. Mount the router
+### 2. Mount the router and error handler
 
 ```typescript
 import express from 'express';
@@ -64,6 +65,12 @@ import { auth } from './lib/sentri/auth.js';
 const app = express();
 app.use(express.json());
 app.use('/auth', auth.router());
+
+// ... your routes ...
+
+// Must be last — catches SentriError from sentri and your own subclasses
+app.use(auth.errorHandler());
+app.listen(3000);
 ```
 
 Done. All endpoints are available at `/auth/*`.
@@ -189,7 +196,7 @@ The `router` field in config lets you replace the built-in service logic for ind
 Each key is optional — only override what you need. Any key you omit falls back to the built-in behaviour.
 
 ```typescript
-import { createAuth, AuthError } from 'sentri';
+import { createAuth, SentriError } from 'sentri';
 import type { AuthResult } from 'sentri';
 
 export const auth = createAuth({
@@ -202,7 +209,7 @@ export const auth = createAuth({
     login: async (input): Promise<AuthResult> => {
       const otpVerified = await redis.get(`otp:${input.identifier}`);
       if (!otpVerified) {
-        return { success: false, error: new AuthError('INVALID_CREDENTIALS', 'OTP required') };
+        return { success: false, error: new SentriError('INVALID_CREDENTIALS', 'OTP required') };
       }
       return defaultLogin(input);
     },
@@ -232,7 +239,7 @@ export const auth = createAuth({
 
 | Key | Signature | Must return |
 |---|---|---|
-| `register` | `(input: SignupInput) => Promise<SignupResult>` | `SignupResult` |
+| `register` | `(input: RegisterInput) => Promise<RegisterResult>` | `RegisterResult` |
 | `login` | `(input: LoginInput) => Promise<AuthResult>` | `AuthResult` |
 | `refresh` | `(refreshToken: string) => Promise<RefreshResult>` | `RefreshResult` |
 | `logout` | `(refreshToken: string \| undefined) => Promise<void>` | `void` |
@@ -287,7 +294,7 @@ import { createAdapter } from './adapter.js';
 export const adapter = createAdapter(db);
 ```
 
-`createAdapter` throws `AuthError` with code `CONFIGURATION_ERROR` at runtime if called without a `db` argument.
+`createAdapter` throws `SentriError` with code `CONFIGURATION_ERROR` at runtime if called without a `db` argument.
 
 ---
 
@@ -473,8 +480,8 @@ Token and password utilities are available on the auth client for use outside th
 ```typescript
 // Token utilities
 const accessToken = auth.signAccessToken({ id, identifier, roles });
-const user = auth.verifyAccessToken(accessToken);         // throws AuthError if invalid
-const { sessionId } = auth.verifyRefreshToken(token);    // throws AuthError if invalid
+const user = auth.verifyAccessToken(accessToken);         // throws SentriError if invalid
+const { sessionId } = auth.verifyRefreshToken(token);    // throws SentriError if invalid
 const refreshToken = auth.signRefreshToken(sessionId);
 
 // Password utilities
@@ -482,7 +489,26 @@ const hash = await auth.hashPassword('secret123');
 const valid = await auth.verifyPassword('secret123', hash);
 ```
 
-`verifyAccessToken` and `verifyRefreshToken` throw `AuthError` with code `TOKEN_EXPIRED` or `TOKEN_INVALID` — wrap them in a try/catch or use the router which handles this automatically.
+`verifyAccessToken` and `verifyRefreshToken` throw `SentriError` with code `TOKEN_EXPIRED` or `TOKEN_INVALID` — wrap them in a try/catch or use the router which handles this automatically.
+
+### `register` — standalone service function
+
+The `register` function is also exported directly so you can call it outside the built-in router (e.g. in tests, scripts, or admin tools):
+
+```typescript
+import { register } from 'sentri';
+
+const result = await register(
+  { identifier: 'alice@example.com', password: 'hunter2', roles: ['user'] },
+  config,
+);
+
+if (result.success) {
+  console.log(result.user.id);
+} else {
+  console.error(result.error.code); // 'USER_ALREADY_EXISTS' | 'INVALID_ROLE'
+}
+```
 
 ---
 
@@ -495,11 +521,11 @@ import type {
   AuthAdapter,
   AuthUser,
   AuthResult,
-  SignupResult,
+  RegisterResult,
   AssignRolesResult,
   RefreshResult,
   ApiResponse,
-  SignupInput,
+  RegisterInput,
   LoginInput,
   RouterHandlers,
   UserRecord,
@@ -508,17 +534,17 @@ import type {
   CookieConfig,
   PermitCheck,
   PermitOptions,
-  AuthErrorCode,
+  SentriErrorCode,
 } from 'sentri';
 
-import { AuthError, createAuth } from 'sentri';
+import { SentriError, AUTH_ERROR_STATUS, createAuth, register } from 'sentri';
 ```
 
 ---
 
 ## Error Handling
 
-All errors thrown by the library are instances of `AuthError` with a machine-readable `code`:
+All errors thrown by the library are instances of `SentriError` with a machine-readable `code` and an HTTP `statusCode`:
 
 | Code | HTTP | Meaning |
 |---|---|---|
@@ -533,44 +559,70 @@ All errors thrown by the library are instances of `AuthError` with a machine-rea
 | `VALIDATION_ERROR` | 400 | Missing or invalid input field |
 | `CONFIGURATION_ERROR` | 500 | Invalid `createAuth` configuration |
 
-The built-in router converts all `AuthError` instances to the standard envelope automatically. For custom routes:
+### `auth.errorHandler()`
+
+Mount `auth.errorHandler()` **after all your routes** to automatically format every `SentriError` (and any subclass) into the standard envelope:
 
 ```typescript
-import { AuthError } from 'sentri';
-
-const AUTH_ERROR_STATUS: Record<string, number> = {
-  UNAUTHORIZED: 401,
-  TOKEN_EXPIRED: 401,
-  TOKEN_INVALID: 401,
-  INVALID_CREDENTIALS: 401,
-  FORBIDDEN: 403,
-  USER_NOT_FOUND: 404,
-  USER_ALREADY_EXISTS: 409,
-  INVALID_ROLE: 400,
-  VALIDATION_ERROR: 400,
-  CONFIGURATION_ERROR: 500,
-};
+app.use('/auth', auth.router());
+app.use('/api', apiRouter);
+
+// Must be last
+app.use(auth.errorHandler());
+```
+
+Optional logger for unexpected errors:
+
+```typescript
+app.use(auth.errorHandler({
+  onUnhandled: (err) => logger.error('Unexpected error', { err }),
+}));
+```
+
+### Extending `SentriError`
+
+Define application-specific errors by extending `SentriError`. They are caught automatically by `auth.errorHandler()` via `instanceof`:
+
+```typescript
+import { SentriError } from 'sentri';
+
+export class NotFoundError extends SentriError {
+  constructor(resource: string) {
+    super('NOT_FOUND', `${resource} not found`, 404);
+  }
+}
 
-app.use((error, _request, response, next) => {
-  if (error instanceof AuthError) {
-    const statusCode = AUTH_ERROR_STATUS[error.code] ?? 500;
-    return response.status(statusCode).json({
-      error: true,
-      statusCode,
-      code: error.code,
-      message: error.message,
-      data: null,
-    });
+export class PaymentError extends SentriError {
+  constructor(message: string) {
+    super('PAYMENT_FAILED', message, 402);
   }
-  next(error);
+}
+
+// Throw anywhere in your routes — auth.errorHandler() catches them all
+app.get('/items/:id', auth.protect(), async (req, res) => {
+  const item = await db.items.findById(req.params['id']);
+  if (!item) throw new NotFoundError('Item');
+  res.json(item);
 });
 ```
 
+Response shape for any `SentriError` (built-in or custom):
+
+```json
+{
+  "error": true,
+  "statusCode": 404,
+  "code": "NOT_FOUND",
+  "message": "Item not found",
+  "data": null
+}
+```
+
 ---
 
 ## Migration from 1.0.x
 
-### Breaking changes
+### Breaking changes in 1.1.0
 
 | What changed | Action required |
 |---|---|
@@ -578,7 +630,19 @@ app.use((error, _request, response, next) => {
 | `RouterHandlers.signup` renamed to `RouterHandlers.register` | Update config if you used a custom signup handler |
 | `protect()` now performs one DB read per request | Ensure your adapter's `session.findById` is indexed on session ID |
 
-### New features
+### Breaking changes in 1.2.0
 
-- **Session-bound tokens** — access tokens are immediately invalidated after logout without waiting for expiry.
-- **`apiKey` config** — lock `POST /register` to trusted callers via `X-Api-Key` header.
+| What changed | Action required |
+|---|---|
+| `AuthError` renamed to `SentriError` | Replace all `import { AuthError }` with `import { SentriError }` |
+| `AuthErrorCode` renamed to `SentriErrorCode` | Replace all `AuthErrorCode` type references |
+| `SignupResult` renamed to `RegisterResult` | Replace type references |
+| `SignupInput` renamed to `RegisterInput` | Replace type references |
+| `signup` service renamed to `register` | Replace `import { signup }` with `import { register }` |
+
+### New features in 1.2.0
+
+- **`auth.errorHandler()`** — built-in Express error handler mounted like `auth.router()`.
+- **`SentriError.statusCode`** — each error carries its own HTTP status; no need for a manual status map.
+- **Extensible errors** — subclass `SentriError` with a custom `code` and `statusCode`; `auth.errorHandler()` catches all subclasses automatically.
+- **`register` exported** — the registration service function is now a named export for use outside the built-in router.

package/dist/client.d.ts

@@ -17,7 +17,7 @@ export interface AuthClient<TRole extends string = string> {
      *
      * Reads the `Authorization: Bearer <token>` header, verifies the access token,
      * confirms the session is still active in the database, and injects the decoded
-     * payload as `request.user`. Calls `next(AuthError)` on any failure.
+     * payload as `request.user`. Calls `next(SentriError)` on any failure.
      *
      * @example
      * router.get('/me', auth.protect(), (request, response) => {
@@ -29,7 +29,7 @@ export interface AuthClient<TRole extends string = string> {
      * Express middleware factory that enforces role-based access.
      *
      * Must be used **after** `protect()`. Passes if the authenticated user has
-     * at least one of the specified roles; otherwise calls `next(AuthError)` with
+     * at least one of the specified roles; otherwise calls `next(SentriError)` with
      * code `FORBIDDEN`.
      *
      * @example
@@ -40,7 +40,7 @@ export interface AuthClient<TRole extends string = string> {
      * Express middleware factory for resource-level permission checks.
      *
      * Must be used **after** `protect()`. Evaluates a check function against the
-     * current request and calls `next(AuthError)` with `FORBIDDEN` if it returns `false`.
+     * current request and calls `next(SentriError)` with `FORBIDDEN` if it returns `false`.
      *
      * Accepts either a bare check function or an options object with an optional
      * `roles` list whose members bypass the check entirely.
@@ -77,9 +77,9 @@ export interface AuthClient<TRole extends string = string> {
     signAccessToken(payload: AuthUser<TRole>): string;
     /** Sign a refresh token bound to a session ID. */
     signRefreshToken(sessionId: string): string;
-    /** Verify and decode an access token. Throws `AuthError` if invalid or expired. */
+    /** Verify and decode an access token. Throws `SentriError` if invalid or expired. */
     verifyAccessToken(token: string): AuthUser<TRole>;
-    /** Verify and decode a refresh token. Throws `AuthError` if invalid or expired. */
+    /** Verify and decode a refresh token. Throws `SentriError` if invalid or expired. */
     verifyRefreshToken(token: string): {
         sessionId: string;
     };
@@ -103,7 +103,7 @@ export interface AuthClient<TRole extends string = string> {
      */
     router(): Router;
     /**
-     * Returns an Express error-handling middleware that formats every `AuthError`
+     * Returns an Express error-handling middleware that formats every `SentriError`
      * (and any subclass) into the standard sentri response envelope:
      *
      * ```json
@@ -111,13 +111,13 @@ export interface AuthClient<TRole extends string = string> {
      * ```
      *
      * Mount it **after all your routes** so it acts as the global catch-all for
-     * both sentri errors and your own `AuthError` subclasses.
+     * both sentri errors and your own `SentriError` subclasses.
      *
      * @example
-     * import { AuthError } from 'sentri';
+     * import { SentriError } from 'sentri';
      *
-     * // Define app-specific errors by extending AuthError
-     * class NotFoundError extends AuthError {
+     * // Define app-specific errors by extending SentriError
+     * class NotFoundError extends SentriError {
      *   constructor(resource: string) {
      *     super('NOT_FOUND', `${resource} not found`, 404);
      *   }

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACxE,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,KAAK,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAE3E;;;;;;;;GAQG;AACH,MAAM,WAAW,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM;IACvD;;;;;;;;;;;OAWG;IACH,OAAO,IAAI,cAAc,CAAC;IAE1B;;;;;;;;;OASG;IACH,SAAS,CAAC,GAAG,KAAK,EAAE,KAAK,EAAE,GAAG,cAAc,CAAC;IAE7C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,cAAc,CAAC;IAC3C,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC,GAAG,cAAc,CAAC;IAEtD,oEAAoE;IACpE,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE7C,kEAAkE;IAClE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE9D,uDAAuD;IACvD,eAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC;IAElD,kDAAkD;IAClD,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAE5C,mFAAmF;IACnF,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAElD,mFAAmF;IACnF,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAEzD;;;;;;;;;;;;;;;;;OAiBG;IACH,MAAM,IAAI,MAAM,CAAC;IAEjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;IACH,YAAY,CAAC,OAAO,CAAC,EAAE,mBAAmB,GAAG,mBAAmB,CAAC;CAClE;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,EACtD,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,GACxB,UAAU,CAAC,KAAK,CAAC,CAiBnB"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACxE,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,KAAK,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAE3E;;;;;;;;GAQG;AACH,MAAM,WAAW,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM;IACvD;;;;;;;;;;;OAWG;IACH,OAAO,IAAI,cAAc,CAAC;IAE1B;;;;;;;;;OASG;IACH,SAAS,CAAC,GAAG,KAAK,EAAE,KAAK,EAAE,GAAG,cAAc,CAAC;IAE7C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,cAAc,CAAC;IAC3C,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC,GAAG,cAAc,CAAC;IAEtD,oEAAoE;IACpE,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE7C,kEAAkE;IAClE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE9D,uDAAuD;IACvD,eAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC;IAElD,kDAAkD;IAClD,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAE5C,qFAAqF;IACrF,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAElD,qFAAqF;IACrF,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAEzD;;;;;;;;;;;;;;;;;OAiBG;IACH,MAAM,IAAI,MAAM,CAAC;IAEjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;IACH,YAAY,CAAC,OAAO,CAAC,EAAE,mBAAmB,GAAG,mBAAmB,CAAC;CAClE;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,EACtD,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,GACxB,UAAU,CAAC,KAAK,CAAC,CAiBnB"}

package/dist/errors/AuthError.d.ts

@@ -1,5 +1,5 @@
 /**
- * Discriminant codes for built-in {@link AuthError} instances.
+ * Discriminant codes for built-in {@link SentriError} instances.
  *
  * - `INVALID_CREDENTIALS` — identifier or password did not match (intentionally vague to prevent user enumeration)
  * - `USER_NOT_FOUND` — an operation required a user that does not exist
@@ -12,10 +12,10 @@
  * - `VALIDATION_ERROR` — a required field was missing or had an invalid value
  * - `CONFIGURATION_ERROR` — `createAuth` was called with an invalid configuration
  *
- * When you extend {@link AuthError} for your own error types you can use any
+ * When you extend {@link SentriError} for your own error types you can use any
  * string as `code` — it does not need to be one of these built-in values.
  */
-export type AuthErrorCode = 'INVALID_CREDENTIALS' | 'USER_NOT_FOUND' | 'USER_ALREADY_EXISTS' | 'TOKEN_EXPIRED' | 'TOKEN_INVALID' | 'FORBIDDEN' | 'UNAUTHORIZED' | 'INVALID_ROLE' | 'VALIDATION_ERROR' | 'CONFIGURATION_ERROR';
+export type SentriErrorCode = 'INVALID_CREDENTIALS' | 'USER_NOT_FOUND' | 'USER_ALREADY_EXISTS' | 'TOKEN_EXPIRED' | 'TOKEN_INVALID' | 'FORBIDDEN' | 'UNAUTHORIZED' | 'INVALID_ROLE' | 'VALIDATION_ERROR' | 'CONFIGURATION_ERROR';
 /**
  * Default HTTP status codes for built-in error codes.
  * Custom codes that are not in this map default to 500.
@@ -24,37 +24,37 @@ export type AuthErrorCode = 'INVALID_CREDENTIALS' | 'USER_NOT_FOUND' | 'USER_ALR
  */
 export declare const AUTH_ERROR_STATUS: Record<string, number>;
 /**
- * Base error class for all authentication and authorization failures.
+ * Base error class for all authentication and authorization failures in sentri.
  *
- * Every error thrown by sentri is an instance of `AuthError`. The `code`
+ * Every error thrown by sentri is an instance of `SentriError`. The `code`
  * property is a machine-readable string that lets you distinguish error
  * types without string-matching on the message. Built-in codes are listed
- * in {@link AuthErrorCode}; custom subclasses may use any string.
+ * in {@link SentriErrorCode}; custom subclasses may use any string.
  *
  * The `statusCode` property holds the HTTP status that the built-in router
- * and `createErrorHandler()` will use in the response. For built-in codes
+ * and `auth.errorHandler()` will use in the response. For built-in codes
  * it is derived automatically. Pass it explicitly when subclassing with a
  * custom code.
  *
  * ---
  *
- * **Extending AuthError**
+ * **Extending SentriError**
  *
- * You can create application-specific error classes by extending `AuthError`.
- * Any subclass will be caught automatically by `createErrorHandler()` because
- * `instanceof AuthError` is `true` for all subclasses.
+ * You can create application-specific error classes by extending `SentriError`.
+ * Any subclass will be caught automatically by `auth.errorHandler()` because
+ * `instanceof SentriError` is `true` for all subclasses.
  *
  * ```typescript
- * import { AuthError } from 'sentri';
+ * import { SentriError } from 'sentri';
  *
  * // Domain error with a custom code and explicit HTTP status
- * export class PaymentError extends AuthError {
+ * export class PaymentError extends SentriError {
  *   constructor(message: string) {
  *     super('PAYMENT_FAILED', message, 402);
  *   }
  * }
  *
- * // Throw it anywhere in your routes — createErrorHandler() catches it
+ * // Throw it anywhere in your routes — auth.errorHandler() catches it
  * router.post('/checkout', auth.protect(), async (req, res) => {
  *   const ok = await chargeCard(req.body.cardToken);
  *   if (!ok) throw new PaymentError('Card declined');
@@ -67,19 +67,17 @@ export declare const AUTH_ERROR_STATUS: Record<string, number>;
  * **Error handling in custom routes**
  *
  * ```typescript
- * import { AuthError, createErrorHandler } from 'sentri';
- *
  * app.use('/auth', auth.router());
  * app.use('/api', apiRouter);
  *
- * // Mount after all routes — catches AuthError from sentri AND your subclasses
- * app.use(createErrorHandler());
+ * // Mount after all routes — catches SentriError from sentri AND your subclasses
+ * app.use(auth.errorHandler());
  * ```
  */
-export declare class AuthError extends Error {
+export declare class SentriError extends Error {
     /**
      * Machine-readable error code.
-     * Built-in codes are defined by {@link AuthErrorCode}.
+     * Built-in codes are defined by {@link SentriErrorCode}.
      * Custom subclasses may use any string.
      */
     readonly code: string;
@@ -90,12 +88,12 @@ export declare class AuthError extends Error {
      */
     readonly statusCode: number;
     /**
-     * @param code - Machine-readable error code. Use a built-in {@link AuthErrorCode}
+     * @param code - Machine-readable error code. Use a built-in {@link SentriErrorCode}
      *   or any string for custom subclasses.
      * @param message - Human-readable description of the error.
      * @param statusCode - HTTP status to use in the response. For built-in codes
      *   this is derived automatically; for custom codes it defaults to `500`.
      */
-    constructor(code: AuthErrorCode | (string & {}), message: string, statusCode?: number);
+    constructor(code: SentriErrorCode | (string & {}), message: string, statusCode?: number);
 }
 //# sourceMappingURL=AuthError.d.ts.map

package/dist/errors/AuthError.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthError.d.ts","sourceRoot":"","sources":["../../src/errors/AuthError.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,MAAM,aAAa,GACrB,qBAAqB,GACrB,gBAAgB,GAChB,qBAAqB,GACrB,eAAe,GACf,eAAe,GACf,WAAW,GACX,cAAc,GACd,cAAc,GACd,kBAAkB,GAClB,qBAAqB,CAAC;AAE1B;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAWpD,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoDG;AACH,qBAAa,SAAU,SAAQ,KAAK;IAClC;;;;OAIG;IACH,SAAgB,IAAI,EAAE,MAAM,CAAC;IAE7B;;;;OAIG;IACH,SAAgB,UAAU,EAAE,MAAM,CAAC;IAEnC;;;;;;OAMG;gBAED,IAAI,EAAE,aAAa,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,EACnC,OAAO,EAAE,MAAM,EACf,UAAU,CAAC,EAAE,MAAM;CAOtB"}
+{"version":3,"file":"AuthError.d.ts","sourceRoot":"","sources":["../../src/errors/AuthError.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,MAAM,eAAe,GACvB,qBAAqB,GACrB,gBAAgB,GAChB,qBAAqB,GACrB,eAAe,GACf,eAAe,GACf,WAAW,GACX,cAAc,GACd,cAAc,GACd,kBAAkB,GAClB,qBAAqB,CAAC;AAE1B;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAWpD,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AACH,qBAAa,WAAY,SAAQ,KAAK;IACpC;;;;OAIG;IACH,SAAgB,IAAI,EAAE,MAAM,CAAC;IAE7B;;;;OAIG;IACH,SAAgB,UAAU,EAAE,MAAM,CAAC;IAEnC;;;;;;OAMG;gBAED,IAAI,EAAE,eAAe,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,EACrC,OAAO,EAAE,MAAM,EACf,UAAU,CAAC,EAAE,MAAM;CAOtB"}

package/dist/errors/AuthError.js

@@ -17,37 +17,37 @@ export const AUTH_ERROR_STATUS = {
     CONFIGURATION_ERROR: 500,
 };
 /**
- * Base error class for all authentication and authorization failures.
+ * Base error class for all authentication and authorization failures in sentri.
  *
- * Every error thrown by sentri is an instance of `AuthError`. The `code`
+ * Every error thrown by sentri is an instance of `SentriError`. The `code`
  * property is a machine-readable string that lets you distinguish error
  * types without string-matching on the message. Built-in codes are listed
- * in {@link AuthErrorCode}; custom subclasses may use any string.
+ * in {@link SentriErrorCode}; custom subclasses may use any string.
  *
  * The `statusCode` property holds the HTTP status that the built-in router
- * and `createErrorHandler()` will use in the response. For built-in codes
+ * and `auth.errorHandler()` will use in the response. For built-in codes
  * it is derived automatically. Pass it explicitly when subclassing with a
  * custom code.
  *
  * ---
  *
- * **Extending AuthError**
+ * **Extending SentriError**
  *
- * You can create application-specific error classes by extending `AuthError`.
- * Any subclass will be caught automatically by `createErrorHandler()` because
- * `instanceof AuthError` is `true` for all subclasses.
+ * You can create application-specific error classes by extending `SentriError`.
+ * Any subclass will be caught automatically by `auth.errorHandler()` because
+ * `instanceof SentriError` is `true` for all subclasses.
  *
  * ```typescript
- * import { AuthError } from 'sentri';
+ * import { SentriError } from 'sentri';
  *
  * // Domain error with a custom code and explicit HTTP status
- * export class PaymentError extends AuthError {
+ * export class PaymentError extends SentriError {
  *   constructor(message: string) {
  *     super('PAYMENT_FAILED', message, 402);
  *   }
  * }
  *
- * // Throw it anywhere in your routes — createErrorHandler() catches it
+ * // Throw it anywhere in your routes — auth.errorHandler() catches it
  * router.post('/checkout', auth.protect(), async (req, res) => {
  *   const ok = await chargeCard(req.body.cardToken);
  *   if (!ok) throw new PaymentError('Card declined');
@@ -60,19 +60,17 @@ export const AUTH_ERROR_STATUS = {
  * **Error handling in custom routes**
  *
  * ```typescript
- * import { AuthError, createErrorHandler } from 'sentri';
- *
  * app.use('/auth', auth.router());
  * app.use('/api', apiRouter);
  *
- * // Mount after all routes — catches AuthError from sentri AND your subclasses
- * app.use(createErrorHandler());
+ * // Mount after all routes — catches SentriError from sentri AND your subclasses
+ * app.use(auth.errorHandler());
  * ```
  */
-export class AuthError extends Error {
+export class SentriError extends Error {
     /**
      * Machine-readable error code.
-     * Built-in codes are defined by {@link AuthErrorCode}.
+     * Built-in codes are defined by {@link SentriErrorCode}.
      * Custom subclasses may use any string.
      */
     code;
@@ -83,7 +81,7 @@ export class AuthError extends Error {
      */
     statusCode;
     /**
-     * @param code - Machine-readable error code. Use a built-in {@link AuthErrorCode}
+     * @param code - Machine-readable error code. Use a built-in {@link SentriErrorCode}
      *   or any string for custom subclasses.
      * @param message - Human-readable description of the error.
      * @param statusCode - HTTP status to use in the response. For built-in codes
@@ -91,7 +89,7 @@ export class AuthError extends Error {
      */
     constructor(code, message, statusCode) {
         super(message);
-        this.name = 'AuthError';
+        this.name = 'SentriError';
         this.code = code;
         this.statusCode = statusCode ?? AUTH_ERROR_STATUS[code] ?? 500;
     }

package/dist/errors/AuthError.js.map

@@ -1 +1 @@
-{"version":3,"file":"AuthError.js","sourceRoot":"","sources":["../../src/errors/AuthError.ts"],"names":[],"mappings":"AA6BA;;;;;GAKG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAA2B;IACvD,YAAY,EAAE,GAAG;IACjB,aAAa,EAAE,GAAG;IAClB,aAAa,EAAE,GAAG;IAClB,mBAAmB,EAAE,GAAG;IACxB,SAAS,EAAE,GAAG;IACd,cAAc,EAAE,GAAG;IACnB,mBAAmB,EAAE,GAAG;IACxB,YAAY,EAAE,GAAG;IACjB,gBAAgB,EAAE,GAAG;IACrB,mBAAmB,EAAE,GAAG;CACzB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoDG;AACH,MAAM,OAAO,SAAU,SAAQ,KAAK;IAClC;;;;OAIG;IACa,IAAI,CAAS;IAE7B;;;;OAIG;IACa,UAAU,CAAS;IAEnC;;;;;;OAMG;IACH,YACE,IAAmC,EACnC,OAAe,EACf,UAAmB;QAEnB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,UAAU,GAAG,UAAU,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC;IACjE,CAAC;CACF"}
+{"version":3,"file":"AuthError.js","sourceRoot":"","sources":["../../src/errors/AuthError.ts"],"names":[],"mappings":"AA6BA;;;;;GAKG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAA2B;IACvD,YAAY,EAAE,GAAG;IACjB,aAAa,EAAE,GAAG;IAClB,aAAa,EAAE,GAAG;IAClB,mBAAmB,EAAE,GAAG;IACxB,SAAS,EAAE,GAAG;IACd,cAAc,EAAE,GAAG;IACnB,mBAAmB,EAAE,GAAG;IACxB,YAAY,EAAE,GAAG;IACjB,gBAAgB,EAAE,GAAG;IACrB,mBAAmB,EAAE,GAAG;CACzB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AACH,MAAM,OAAO,WAAY,SAAQ,KAAK;IACpC;;;;OAIG;IACa,IAAI,CAAS;IAE7B;;;;OAIG;IACa,UAAU,CAAS;IAEnC;;;;;;OAMG;IACH,YACE,IAAqC,EACrC,OAAe,EACf,UAAmB;QAEnB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;QAC1B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,UAAU,GAAG,UAAU,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC;IACjE,CAAC;CACF"}

package/dist/index.d.ts

@@ -6,12 +6,13 @@ declare global {
         }
     }
 }
-export type { AuthConfig, CookieConfig, AuthUser, ApiResponse, AuthAdapter, UserRecord, SessionRecord, CreateUserData, RouterHandlers, SignupInput, LoginInput, SignupResult, AuthResult, RefreshResult, AssignRolesResult, } from './types/auth.js';
-export type { AuthErrorCode } from './errors/AuthError.js';
+export type { AuthConfig, CookieConfig, AuthUser, ApiResponse, AuthAdapter, UserRecord, SessionRecord, CreateUserData, RouterHandlers, RegisterInput, LoginInput, RegisterResult, AuthResult, RefreshResult, AssignRolesResult, } from './types/auth.js';
+export type { SentriErrorCode } from './errors/AuthError.js';
 export type { AuthClient } from './client.js';
 export type { ErrorHandlerOptions } from './middleware/errorHandler.js';
-export { AuthError, AUTH_ERROR_STATUS } from './errors/AuthError.js';
+export { SentriError, AUTH_ERROR_STATUS } from './errors/AuthError.js';
 export { createAuth } from './client.js';
 export { createErrorHandler } from './middleware/errorHandler.js';
+export { register } from './services/auth.js';
 export type { PermitCheck, PermitOptions } from './middleware/permit.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAIhD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,QAAQ,CAAC;SACjB;KACF;CACF;AAED,YAAY,EACV,UAAU,EACV,YAAY,EACZ,QAAQ,EACR,WAAW,EACX,WAAW,EACX,UAAU,EACV,aAAa,EACb,cAAc,EACd,cAAc,EACd,WAAW,EACX,UAAU,EACV,YAAY,EACZ,UAAU,EACV,aAAa,EACb,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAC9C,YAAY,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAExE,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAGhD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,QAAQ,CAAC;SACjB;KACF;CACF;AAED,YAAY,EACV,UAAU,EACV,YAAY,EACZ,QAAQ,EACR,WAAW,EACX,WAAW,EACX,UAAU,EACV,aAAa,EACb,cAAc,EACd,cAAc,EACd,aAAa,EACb,UAAU,EACV,cAAc,EACd,UAAU,EACV,aAAa,EACb,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAC9C,YAAY,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAExE,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC"}

package/dist/index.js

@@ -1,4 +1,5 @@
-export { AuthError, AUTH_ERROR_STATUS } from './errors/AuthError.js';
+export { SentriError, AUTH_ERROR_STATUS } from './errors/AuthError.js';
 export { createAuth } from './client.js';
 export { createErrorHandler } from './middleware/errorHandler.js';
+export { register } from './services/auth.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAiCA,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAgCA,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/libs/config.d.ts

@@ -17,14 +17,14 @@ export interface ResolvedConfig {
  * Validate configuration at startup so misconfiguration is caught immediately,
  * not at the first login attempt.
  *
- * Throws {@link AuthError} with code `CONFIGURATION_ERROR` for any of:
+ * Throws {@link SentriError} with code `CONFIGURATION_ERROR` for any of:
  * - `secret` missing or shorter than 32 characters
  * - `saltRounds` outside the range 10–31
  * - `validRoles` is empty or missing
  * - `adapter` is missing
  *
  * @param config - The raw config passed to {@link createAuth}.
- * @throws {AuthError} With code `CONFIGURATION_ERROR` on any invalid field.
+ * @throws {SentriError} With code `CONFIGURATION_ERROR` on any invalid field.
  */
 export declare function validateConfig(config: AuthConfig): void;
 /**

package/dist/libs/config.js

@@ -1,4 +1,4 @@
-import { AuthError } from '../errors/AuthError.js';
+import { SentriError } from '../errors/AuthError.js';
 const MIN_SECRET_LENGTH = 32;
 const MIN_SALT_ROUNDS = 10;
 const MAX_SALT_ROUNDS = 31;
@@ -6,31 +6,31 @@ const MAX_SALT_ROUNDS = 31;
  * Validate configuration at startup so misconfiguration is caught immediately,
  * not at the first login attempt.
  *
- * Throws {@link AuthError} with code `CONFIGURATION_ERROR` for any of:
+ * Throws {@link SentriError} with code `CONFIGURATION_ERROR` for any of:
  * - `secret` missing or shorter than 32 characters
  * - `saltRounds` outside the range 10–31
  * - `validRoles` is empty or missing
  * - `adapter` is missing
  *
  * @param config - The raw config passed to {@link createAuth}.
- * @throws {AuthError} With code `CONFIGURATION_ERROR` on any invalid field.
+ * @throws {SentriError} With code `CONFIGURATION_ERROR` on any invalid field.
  */
 export function validateConfig(config) {
     if (!config.secret || config.secret.trim().length === 0) {
-        throw new AuthError('CONFIGURATION_ERROR', 'secret must not be empty');
+        throw new SentriError('CONFIGURATION_ERROR', 'secret must not be empty');
     }
     if (config.secret.length < MIN_SECRET_LENGTH) {
-        throw new AuthError('CONFIGURATION_ERROR', `secret must be at least ${MIN_SECRET_LENGTH} characters to be cryptographically safe`);
+        throw new SentriError('CONFIGURATION_ERROR', `secret must be at least ${MIN_SECRET_LENGTH} characters to be cryptographically safe`);
     }
     const saltRounds = config.saltRounds ?? 12;
     if (!Number.isInteger(saltRounds) || saltRounds < MIN_SALT_ROUNDS || saltRounds > MAX_SALT_ROUNDS) {
-        throw new AuthError('CONFIGURATION_ERROR', `saltRounds must be an integer between ${MIN_SALT_ROUNDS} and ${MAX_SALT_ROUNDS}`);
+        throw new SentriError('CONFIGURATION_ERROR', `saltRounds must be an integer between ${MIN_SALT_ROUNDS} and ${MAX_SALT_ROUNDS}`);
     }
     if (!config.validRoles || config.validRoles.length === 0) {
-        throw new AuthError('CONFIGURATION_ERROR', 'validRoles must contain at least one role');
+        throw new SentriError('CONFIGURATION_ERROR', 'validRoles must contain at least one role');
     }
     if (!config.adapter) {
-        throw new AuthError('CONFIGURATION_ERROR', 'adapter is required');
+        throw new SentriError('CONFIGURATION_ERROR', 'adapter is required');
     }
 }
 /**