By: Michael Lynch <git@mtlynch.io>
Make simpleauth sessions caller-owned simpleauth previously exposed a session manager that wrapped jeff's SQLite store. Applications supplied a SQLite database, so simpleauth owned the session schema, storage backend, and cleanup behavior even though callers already owned user and password-hash persistence through the auth package. Cleanup failures were also logged inside the library instead of being returned to the app. Replace that model with a v3 API centered on caller-owned persistence. The root package now defines the minimal user primitives that sessions need without taking over account management: UserID, User, UserStore, and ErrUserNotFound. The sessions package now accepts a caller-provided Store, generates validated 32-byte URL-safe session IDs, persists Session records server-side, sets HttpOnly/SameSite cookies with configurable Secure behavior, loads optional sessions for public routes, enforces sessions for protected routes, and returns session creation/deletion errors to the caller. Remove the bundled jeff/SQLite dependency and the sqlite_json test tag, update the module and imports to codeberg.org/mtlynch/simpleauth/v3, refresh the Nix vendor hash, and document how a web app wires auth stores, user lookup, session stores, login, protected routes, context access, and logout. This is intentionally a breaking change: storage schema, user lookup, session lifecycle policy, and error handling now belong to the application using simpleauth rather than the library. Add focused tests for UserID validation and session create/load/require behavior so those new contracts are covered.