@mastergnou/auth-server

Shared framework-free auth policy helpers for Mount-family backends.

Current surface:

• deployment-level password-login policy resolution
• tenant auth-mode and SSO-state resolution
• tenant provider eligibility helpers
• tenant auth-config normalization and change-detection helpers
• required-AMR normalization
• bounded integer normalization for auth-related config
• password setup token generation, digesting, and validation helpers
• identity lifecycle policy and deprovision event normalization helpers
• SCIM bearer auth parsing, PATCH parsing, and user normalization helpers

Current assumption notes:

• resolveDeploymentPasswordLoginEnabled() preserves the current Coachiz default: when no explicit boolean override is configured, password login stays enabled outside the production node environment
• tenant auth-state/provider helpers are mature enough to share because they already match the current Coachiz pure auth-mode.util.ts behavior closely, while still taking plain values instead of Nest ConfigService
• normalizeRequiredAmrInput() is for request/controller-side array cleanup, while resolveRequiredAmr() is for stored-config plus default-policy resolution
• tenant auth-config response shaping is still intentionally local; the shared package only covers normalization and config-drift detection, not consumer DTO assembly or app-URL fallback rules
• SCIM auth helpers stop at parsing and validating the bearer credential shape; tenant lookup and credential persistence stay local
• SCIM PATCH helpers only normalize supported operation structure; they do not apply product mutation semantics
• SCIM user normalization extracts product-neutral fields only; it does not decide local persistence or deprovisioning behavior

Non-goals in this package:

• Nest-specific service wiring
• repository access
• token issuance
• audit logging
• SCIM runtime endpoints and tenant resolution