& so it begins

packages/logic/domains/2fa/sensitive-actions.ts

@@ -0,0 +1,43 @@
+import { FlowExecCtx } from "@core/flow.execution.context";
+import { getTwofaController } from "./controller";
+import type { User } from "@/domains/user/data";
+
+const twofaController = getTwofaController();
+
+/**
+ * Check if user needs 2FA verification for sensitive actions
+ * Call this before executing sensitive operations like:
+ * - Changing password
+ * - Viewing billing info
+ * - Deleting account
+ * - etc.
+ */
+export async function requiresSensitiveAction2FA(
+    fctx: FlowExecCtx,
+    user: User,
+): Promise<boolean> {
+    const result = await twofaController.requiresSensitiveActionVerification(
+        fctx,
+        user,
+    );
+    return result.match(
+        (data) => data,
+        () => true, // On error, require verification for security
+    );
+}
+
+export async function checkInitial2FaRequired(
+    fctx: FlowExecCtx,
+    user: User,
+    sessionId: string,
+): Promise<boolean> {
+    const result = await twofaController.requiresInitialVerification(
+        fctx,
+        user,
+        sessionId,
+    );
+    return result.match(
+        (data) => data,
+        () => true,
+    );
+}