@agentlensai/server 0.11.0 → 0.13.0

package/dist/middleware/auth-errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-errors.d.ts","sourceRoot":"","sources":["../../src/middleware/auth-errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAIpC,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,OAAO;;;;;gBAO5C;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO;;;;gBAMvC;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO;;;;gBAMvC;AAED,wBAAgB,UAAU,CAAC,CAAC,EAAE,OAAO;;;;gBAMpC;AAED,wBAAgB,UAAU,CAAC,CAAC,EAAE,OAAO;;;;;gBAOpC;AAED,wBAAgB,eAAe,CAAC,CAAC,EAAE,OAAO;;;;gBAMzC;AAED,wBAAgB,YAAY,CAAC,CAAC,EAAE,OAAO;;;;gBAMtC;AAED,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,OAAO;;;;;gBAO1C;AAED,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,OAAO;;;;gBAM1C;AAID,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE;IACxD,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;;;;;;gBAQA"}

package/dist/middleware/auth-errors.js

@@ -0,0 +1,84 @@
+/**
+ * Standardized auth error response builders (Story 6 / PRD §R5).
+ *
+ * All 401/403 responses share a consistent JSON structure with
+ * actionable `hint` fields. No stack traces or internals leaked.
+ */
+// ── 401 Responses ──────────────────────────────────────────
+export function missingCredentials(c) {
+    return c.json({
+        error: 'Authentication required',
+        hint: "Provide an API key via 'Authorization: Bearer als_...' header, or log in via /auth/login",
+        docs: '/docs/authentication',
+        status: 401,
+    }, 401);
+}
+export function invalidApiKey(c) {
+    return c.json({
+        error: 'Invalid or revoked API key',
+        hint: 'This API key is no longer valid. Generate a new key at /api/keys.',
+        status: 401,
+    }, 401);
+}
+export function expiredApiKey(c) {
+    return c.json({
+        error: 'API key expired',
+        hint: 'This API key has been rotated and is no longer valid. Please use the new key.',
+        status: 401,
+    }, 401);
+}
+export function expiredJwt(c) {
+    return c.json({
+        error: 'Token expired',
+        hint: 'Your session has expired. Refresh via POST /auth/refresh or log in again.',
+        status: 401,
+    }, 401);
+}
+export function invalidJwt(c) {
+    return c.json({
+        error: 'Invalid token',
+        hint: 'The provided token is invalid. Log in again via /auth/login.',
+        docs: '/docs/authentication',
+        status: 401,
+    }, 401);
+}
+export function invalidCloudKey(c) {
+    return c.json({
+        error: 'Invalid or revoked API key',
+        hint: 'This cloud API key is no longer valid. Generate a new key in the dashboard.',
+        status: 401,
+    }, 401);
+}
+export function authRequired(c) {
+    return c.json({
+        error: 'Authentication required',
+        hint: 'No auth context found. This is likely a middleware ordering issue.',
+        status: 401,
+    }, 401);
+}
+export function otlpAuthRequired(c) {
+    return c.json({
+        error: 'Authentication required',
+        hint: "OTLP authentication is enabled. Provide a token via 'Authorization: Bearer <token>' header.",
+        docs: '/docs/otlp-auth',
+        status: 401,
+    }, 401);
+}
+export function otlpInvalidToken(c) {
+    return c.json({
+        error: 'Invalid OTLP token',
+        hint: 'The provided OTLP auth token does not match. Check your OTLP_AUTH_TOKEN configuration.',
+        status: 401,
+    }, 401);
+}
+// ── 403 Responses ──────────────────────────────────────────
+export function insufficientPermissions(c, opts) {
+    return c.json({
+        error: 'Insufficient permissions',
+        hint: opts.hint ?? `This action requires '${opts.required}' role or higher. Your current role is '${opts.current}'.`,
+        required: opts.required,
+        current: opts.current,
+        status: 403,
+    }, 403);
+}
+//# sourceMappingURL=auth-errors.js.map

package/dist/middleware/auth-errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-errors.js","sourceRoot":"","sources":["../../src/middleware/auth-errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,8DAA8D;AAE9D,MAAM,UAAU,kBAAkB,CAAC,CAAU;IAC3C,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,yBAAyB;QAChC,IAAI,EAAE,0FAA0F;QAChG,IAAI,EAAE,sBAAsB;QAC5B,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,CAAU;IACtC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,4BAA4B;QACnC,IAAI,EAAE,mEAAmE;QACzE,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,CAAU;IACtC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,iBAAiB;QACxB,IAAI,EAAE,+EAA+E;QACrF,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,CAAU;IACnC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,eAAe;QACtB,IAAI,EAAE,2EAA2E;QACjF,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,CAAU;IACnC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,eAAe;QACtB,IAAI,EAAE,8DAA8D;QACpE,IAAI,EAAE,sBAAsB;QAC5B,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,CAAU;IACxC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,4BAA4B;QACnC,IAAI,EAAE,6EAA6E;QACnF,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,CAAU;IACrC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,yBAAyB;QAChC,IAAI,EAAE,oEAAoE;QAC1E,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,CAAU;IACzC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,yBAAyB;QAChC,IAAI,EAAE,6FAA6F;QACnG,IAAI,EAAE,iBAAiB;QACvB,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,CAAU;IACzC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,oBAAoB;QAC3B,IAAI,EAAE,wFAAwF;QAC9F,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,8DAA8D;AAE9D,MAAM,UAAU,uBAAuB,CAAC,CAAU,EAAE,IAInD;IACC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,0BAA0B;QACjC,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,yBAAyB,IAAI,CAAC,QAAQ,2CAA2C,IAAI,CAAC,OAAO,IAAI;QACpH,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC"}

package/dist/middleware/auth.d.ts

@@ -5,8 +5,11 @@
  * with SHA-256 and looking it up in the apiKeys table.
  *
  * When AUTH_DISABLED=true, authentication is skipped (dev mode).
+ *
+ * Supports both SQLite (sync) and PostgreSQL (async) backends via IApiKeyLookup.
  */
 import type { SqliteDb } from '../db/index.js';
+import type { IApiKeyLookup } from '../db/api-key-lookup.js';
 /**
  * API key info attached to the Hono context.
  */
@@ -29,10 +32,10 @@ export declare function hashApiKey(raw: string): string;
 /**
  * Create the auth middleware.
  *
- * @param db - Drizzle SQLite database instance
+ * @param dbOrLookup - Drizzle SQLite database instance OR IApiKeyLookup
  * @param authDisabled - If true, skip authentication (dev mode)
  */
-export declare function authMiddleware(db: SqliteDb, authDisabled: boolean): import("hono").MiddlewareHandler<{
+export declare function authMiddleware(dbOrLookup: SqliteDb | IApiKeyLookup, authDisabled: boolean): import("hono").MiddlewareHandler<{
     Variables: AuthVariables;
 }, string, {}, Response>;
 //# sourceMappingURL=auth.d.ts.map

package/dist/middleware/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAI/C;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,UAAU,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE9C;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,OAAO;eAC3B,aAAa;yBA2DnD"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAG/C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAE7D;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,UAAU,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE9C;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,QAAQ,GAAG,aAAa,EAAE,YAAY,EAAE,OAAO;eACnD,aAAa;yBAgFnD"}

package/dist/middleware/auth.js

@@ -5,6 +5,8 @@
  * with SHA-256 and looking it up in the apiKeys table.
  *
  * When AUTH_DISABLED=true, authentication is skipped (dev mode).
+ *
+ * Supports both SQLite (sync) and PostgreSQL (async) backends via IApiKeyLookup.
  */
 import { createHash } from 'node:crypto';
 import { createMiddleware } from 'hono/factory';
@@ -19,10 +21,10 @@ export function hashApiKey(raw) {
 /**
  * Create the auth middleware.
  *
- * @param db - Drizzle SQLite database instance
+ * @param dbOrLookup - Drizzle SQLite database instance OR IApiKeyLookup
  * @param authDisabled - If true, skip authentication (dev mode)
  */
-export function authMiddleware(db, authDisabled) {
+export function authMiddleware(dbOrLookup, authDisabled) {
     return createMiddleware(async (c, next) => {
         // Dev mode: skip auth
         if (authDisabled) {
@@ -39,7 +41,37 @@ export function authMiddleware(db, authDisabled) {
         }
         const rawKey = match[1];
         const keyHash = hashApiKey(rawKey);
-        // Look up the key by hash (not revoked)
+        // Determine if we have an IApiKeyLookup or a raw SQLite db
+        if ('findByHash' in dbOrLookup) {
+            // IApiKeyLookup path (works for both SQLite and PostgreSQL)
+            const lookup = dbOrLookup;
+            const row = await lookup.findByHash(keyHash);
+            if (!row) {
+                return c.json({ error: 'Invalid or revoked API key', status: 401 }, 401);
+            }
+            if (row.expiresAt) {
+                const now = Math.floor(Date.now() / 1000);
+                if (now > row.expiresAt) {
+                    return c.json({ error: 'This API key has been rotated and is no longer valid. Please use the new key.', status: 401 }, 401);
+                }
+            }
+            // Fire-and-forget lastUsedAt update
+            void lookup.updateLastUsed(row.id);
+            const scopes = (() => {
+                if (Array.isArray(row.scopes))
+                    return row.scopes;
+                try {
+                    return JSON.parse(row.scopes);
+                }
+                catch {
+                    return [];
+                }
+            })();
+            c.set('apiKey', { id: row.id, name: row.name, scopes, tenantId: row.tenantId });
+            return next();
+        }
+        // Legacy SQLite db path (backward compatible)
+        const db = dbOrLookup;
         const row = db
             .select()
             .from(apiKeys)
@@ -48,17 +80,17 @@ export function authMiddleware(db, authDisabled) {
         if (!row) {
             return c.json({ error: 'Invalid or revoked API key', status: 401 }, 401);
         }
-        // Fire-and-forget lastUsedAt update
+        if (row.expiresAt) {
+            const now = Math.floor(Date.now() / 1000);
+            if (now > row.expiresAt) {
+                return c.json({ error: 'This API key has been rotated and is no longer valid. Please use the new key.', status: 401 }, 401);
+            }
+        }
         const now = Math.floor(Date.now() / 1000);
         try {
-            db.update(apiKeys)
-                .set({ lastUsedAt: now })
-                .where(eq(apiKeys.id, row.id))
-                .run();
-        }
-        catch {
-            // Non-critical — don't fail the request
+            db.update(apiKeys).set({ lastUsedAt: now }).where(eq(apiKeys.id, row.id)).run();
         }
+        catch { /* non-critical */ }
         const scopes = (() => {
             try {
                 return JSON.parse(row.scopes);
@@ -67,12 +99,7 @@ export function authMiddleware(db, authDisabled) {
                 return [];
             }
         })();
-        c.set('apiKey', {
-            id: row.id,
-            name: row.name,
-            scopes,
-            tenantId: row.tenantId,
-        });
+        c.set('apiKey', { id: row.id, name: row.name, scopes, tenantId: row.tenantId });
         return next();
     });
 }

package/dist/middleware/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,OAAO,EAAE,OAAO,EAAE,MAAM,wBAAwB,CAAC;AACjD,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAmB9C;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,EAAY,EAAE,YAAqB;IAChE,OAAO,gBAAgB,CAA+B,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACtE,sBAAsB;QACtB,IAAI,YAAY,EAAE,CAAC;YACjB,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC;YACrF,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QACjD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAC7E,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACvD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+DAA+D,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAC9G,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;QACzB,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;QAEnC,wCAAwC;QACxC,MAAM,GAAG,GAAG,EAAE;aACX,MAAM,EAAE;aACR,IAAI,CAAC,OAAO,CAAC;aACb,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;aACnE,GAAG,EAAE,CAAC;QAET,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,4BAA4B,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAC3E,CAAC;QAED,oCAAoC;QACpC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC;YACH,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC;iBACf,GAAG,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;iBACxB,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;iBAC7B,GAAG,EAAE,CAAC;QACX,CAAC;QAAC,MAAM,CAAC;YACP,wCAAwC;QAC1C,CAAC;QAED,MAAM,MAAM,GAAa,CAAC,GAAG,EAAE;YAC7B,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAa,CAAC;YAC5C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,EAAE,CAAC;QAEL,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE;YACd,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,MAAM;YACN,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACvB,CAAC,CAAC;QAEH,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,OAAO,EAAE,OAAO,EAAE,MAAM,wBAAwB,CAAC;AACjD,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAoB9C;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,UAAoC,EAAE,YAAqB;IACxF,OAAO,gBAAgB,CAA+B,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACtE,sBAAsB;QACtB,IAAI,YAAY,EAAE,CAAC;YACjB,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC;YACrF,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QACjD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAC7E,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACvD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+DAA+D,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAC9G,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;QACzB,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;QAEnC,2DAA2D;QAC3D,IAAI,YAAY,IAAI,UAAU,EAAE,CAAC;YAC/B,4DAA4D;YAC5D,MAAM,MAAM,GAAG,UAA2B,CAAC;YAC3C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;YAE7C,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,4BAA4B,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;YAC3E,CAAC;YAED,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;gBAClB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;gBAC1C,IAAI,GAAG,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC;oBACxB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+EAA+E,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;gBAC9H,CAAC;YACH,CAAC;YAED,oCAAoC;YACpC,KAAK,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAEnC,MAAM,MAAM,GAAa,CAAC,GAAG,EAAE;gBAC7B,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC;oBAAE,OAAO,GAAG,CAAC,MAAM,CAAC;gBACjD,IAAI,CAAC;oBAAC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAgB,CAAa,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC;oBAAC,OAAO,EAAE,CAAC;gBAAC,CAAC;YACnF,CAAC,CAAC,EAAE,CAAC;YAEL,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;YAChF,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,8CAA8C;QAC9C,MAAM,EAAE,GAAG,UAAsB,CAAC;QAClC,MAAM,GAAG,GAAG,EAAE;aACX,MAAM,EAAE;aACR,IAAI,CAAC,OAAO,CAAC;aACb,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;aACnE,GAAG,EAAE,CAAC;QAET,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,4BAA4B,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAC3E,CAAC;QAED,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;YAClB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,IAAI,GAAG,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC;gBACxB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+EAA+E,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;YAC9H,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC;YACH,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;QAClF,CAAC;QAAC,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;QAE9B,MAAM,MAAM,GAAa,CAAC,GAAG,EAAE;YAC7B,IAAI,CAAC;gBAAC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAa,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC;gBAAC,OAAO,EAAE,CAAC;YAAC,CAAC;QACzE,CAAC,CAAC,EAAE,CAAC;QAEL,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;QAChF,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/middleware/body-limit.d.ts

@@ -0,0 +1,9 @@
+/**
+ * SH-3: Global Body Limit Middleware
+ *
+ * Applies a 1MB default body size limit to all API routes.
+ * Individual routes can override with their own bodyLimit (e.g., events uses 10MB).
+ */
+/** 1MB default body limit for API routes */
+export declare const apiBodyLimit: import("hono").MiddlewareHandler;
+//# sourceMappingURL=body-limit.d.ts.map

package/dist/middleware/body-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"body-limit.d.ts","sourceRoot":"","sources":["../../src/middleware/body-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,4CAA4C;AAC5C,eAAO,MAAM,YAAY,kCAQvB,CAAC"}

package/dist/middleware/body-limit.js

@@ -0,0 +1,15 @@
+/**
+ * SH-3: Global Body Limit Middleware
+ *
+ * Applies a 1MB default body size limit to all API routes.
+ * Individual routes can override with their own bodyLimit (e.g., events uses 10MB).
+ */
+import { bodyLimit } from 'hono/body-limit';
+/** 1MB default body limit for API routes */
+export const apiBodyLimit = bodyLimit({
+    maxSize: 1 * 1024 * 1024, // 1MB
+    onError: (c) => {
+        return c.json({ error: 'Request body too large', status: 413, maxSize: '1MB' }, 413);
+    },
+});
+//# sourceMappingURL=body-limit.js.map

package/dist/middleware/body-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"body-limit.js","sourceRoot":"","sources":["../../src/middleware/body-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,4CAA4C;AAC5C,MAAM,CAAC,MAAM,YAAY,GAAG,SAAS,CAAC;IACpC,OAAO,EAAE,CAAC,GAAG,IAAI,GAAG,IAAI,EAAE,MAAM;IAChC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;QACb,OAAO,CAAC,CAAC,IAAI,CACX,EAAE,KAAK,EAAE,wBAAwB,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,EAChE,GAAG,CACJ,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/dist/middleware/cors-config.d.ts

@@ -0,0 +1,30 @@
+/**
+ * SH-4: CORS Hardening — explicit origin callback for hono/cors.
+ *
+ * Reads CORS_ORIGINS (comma-separated) and builds an origin callback that:
+ * - Rejects unlisted origins (returns empty string → no CORS headers)
+ * - Blocks wildcard '*' in production
+ * - Auto-allows http://localhost:* in dev mode
+ * - Supports credentials, explicit allowed/exposed headers, and maxAge
+ */
+/** Local mirror of hono/cors CORSOptions (not exported by the package). */
+type CorsOptions = {
+    origin: string | string[] | ((origin: string) => string);
+    allowMethods?: string[];
+    allowHeaders?: string[];
+    maxAge?: number;
+    credentials?: boolean;
+    exposeHeaders?: string[];
+};
+export interface CorsConfig {
+    /** Comma-separated allowed origins, or a single origin */
+    corsOrigins?: string;
+    /** NODE_ENV value */
+    nodeEnv?: string;
+}
+/**
+ * Build hono/cors options with an explicit origin callback.
+ */
+export declare function buildCorsOptions(config: CorsConfig): CorsOptions;
+export {};
+//# sourceMappingURL=cors-config.d.ts.map

package/dist/middleware/cors-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors-config.d.ts","sourceRoot":"","sources":["../../src/middleware/cors-config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,2EAA2E;AAC3E,KAAK,WAAW,GAAG;IACjB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,KAAK,MAAM,CAAC,CAAC;IACzD,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1B,CAAC;AAEF,MAAM,WAAW,UAAU;IACzB,0DAA0D;IAC1D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,qBAAqB;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAcD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,UAAU,GAAG,WAAW,CAoChE"}

package/dist/middleware/cors-config.js

@@ -0,0 +1,55 @@
+/**
+ * SH-4: CORS Hardening — explicit origin callback for hono/cors.
+ *
+ * Reads CORS_ORIGINS (comma-separated) and builds an origin callback that:
+ * - Rejects unlisted origins (returns empty string → no CORS headers)
+ * - Blocks wildcard '*' in production
+ * - Auto-allows http://localhost:* in dev mode
+ * - Supports credentials, explicit allowed/exposed headers, and maxAge
+ */
+/**
+ * Parse CORS_ORIGINS env var into a Set of allowed origins.
+ */
+function parseOrigins(raw) {
+    if (!raw)
+        return new Set();
+    return new Set(raw.split(',')
+        .map(o => o.trim())
+        .filter(Boolean));
+}
+/**
+ * Build hono/cors options with an explicit origin callback.
+ */
+export function buildCorsOptions(config) {
+    const isDev = config.nodeEnv !== 'production';
+    const origins = parseOrigins(config.corsOrigins);
+    // Block wildcard in production
+    if (!isDev && origins.has('*')) {
+        throw new Error('CORS wildcard (*) is not allowed in production. ' +
+            'Set CORS_ORIGINS to specific origins.');
+    }
+    return {
+        origin: (requestOrigin) => {
+            // No origin header (e.g. same-origin, server-to-server) — allow
+            if (!requestOrigin)
+                return requestOrigin;
+            // Exact match
+            if (origins.has(requestOrigin))
+                return requestOrigin;
+            // Wildcard in dev
+            if (isDev && origins.has('*'))
+                return requestOrigin;
+            // Dev mode: auto-allow localhost on any port
+            if (isDev && /^https?:\/\/localhost(:\d+)?$/.test(requestOrigin)) {
+                return requestOrigin;
+            }
+            // Reject — return empty string so hono/cors omits CORS headers
+            return '';
+        },
+        credentials: true,
+        allowHeaders: ['Authorization', 'Content-Type', 'X-Request-ID'],
+        exposeHeaders: ['X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-RateLimit-Reset'],
+        maxAge: 86400,
+    };
+}
+//# sourceMappingURL=cors-config.js.map

package/dist/middleware/cors-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors-config.js","sourceRoot":"","sources":["../../src/middleware/cors-config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAmBH;;GAEG;AACH,SAAS,YAAY,CAAC,GAAY;IAChC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,GAAG,EAAE,CAAC;IAC3B,OAAO,IAAI,GAAG,CACZ,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC;SACX,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SAClB,MAAM,CAAC,OAAO,CAAC,CACnB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAkB;IACjD,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,KAAK,YAAY,CAAC;IAC9C,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAEjD,+BAA+B;IAC/B,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,kDAAkD;YAClD,uCAAuC,CACxC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,CAAC,aAAqB,EAAE,EAAE;YAChC,gEAAgE;YAChE,IAAI,CAAC,aAAa;gBAAE,OAAO,aAAa,CAAC;YAEzC,cAAc;YACd,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;gBAAE,OAAO,aAAa,CAAC;YAErD,kBAAkB;YAClB,IAAI,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,OAAO,aAAa,CAAC;YAEpD,6CAA6C;YAC7C,IAAI,KAAK,IAAI,+BAA+B,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;gBACjE,OAAO,aAAa,CAAC;YACvB,CAAC;YAED,+DAA+D;YAC/D,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,WAAW,EAAE,IAAI;QACjB,YAAY,EAAE,CAAC,eAAe,EAAE,cAAc,EAAE,cAAc,CAAC;QAC/D,aAAa,EAAE,CAAC,mBAAmB,EAAE,uBAAuB,EAAE,mBAAmB,CAAC;QAClF,MAAM,EAAE,KAAK;KACd,CAAC;AACJ,CAAC"}

package/dist/middleware/rate-limit.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Rate-limiting middleware for auth and API endpoints.
+ * Uses hono-rate-limiter with in-memory store.
+ *
+ * @module middleware/rate-limit
+ */
+export declare const authRateLimit: import("hono").MiddlewareHandler<import("hono").Env, string, import("hono").Input, Response>;
+export declare const apiRateLimit: import("hono").MiddlewareHandler<import("hono").Env, string, import("hono").Input, Response>;
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/middleware/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/middleware/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AA0BH,eAAO,MAAM,aAAa,8FAWxB,CAAC;AAOH,eAAO,MAAM,YAAY,8FAkBvB,CAAC"}

package/dist/middleware/rate-limit.js

@@ -0,0 +1,56 @@
+/**
+ * Rate-limiting middleware for auth and API endpoints.
+ * Uses hono-rate-limiter with in-memory store.
+ *
+ * @module middleware/rate-limit
+ */
+import { rateLimiter } from 'hono-rate-limiter';
+import { createLogger } from '../lib/logger.js';
+const log = createLogger('RateLimit');
+// ─── Helpers ─────────────────────────────────────────────
+/**
+ * Extract client IP using x-forwarded-for → cf-connecting-ip → 'unknown'.
+ */
+function getClientIp(c) {
+    return (c.req.header('x-forwarded-for')?.split(',')[0]?.trim() ||
+        c.req.header('cf-connecting-ip') ||
+        'unknown');
+}
+// ─── Auth rate limiter ───────────────────────────────────
+const AUTH_MAX = Number(process.env['RATE_LIMIT_AUTH_MAX'] ?? 20);
+const AUTH_WINDOW_MS = Number(process.env['RATE_LIMIT_AUTH_WINDOW_MS'] ?? 15 * 60 * 1000);
+export const authRateLimit = rateLimiter({
+    windowMs: AUTH_WINDOW_MS,
+    limit: AUTH_MAX,
+    standardHeaders: 'draft-7',
+    keyGenerator: (c) => `auth:${getClientIp(c)}`,
+    handler: (c) => {
+        const ip = getClientIp(c);
+        const route = new URL(c.req.url).pathname;
+        log.warn('Auth rate limit exceeded', { ip, route });
+        return c.json({ error: 'Too Many Requests' }, 429);
+    },
+});
+// ─── API rate limiter ────────────────────────────────────
+const API_MAX = Number(process.env['RATE_LIMIT_API_MAX'] ?? 200);
+const API_WINDOW_MS = Number(process.env['RATE_LIMIT_API_WINDOW_MS'] ?? 60 * 1000);
+export const apiRateLimit = rateLimiter({
+    windowMs: API_WINDOW_MS,
+    limit: API_MAX,
+    standardHeaders: 'draft-7',
+    keyGenerator: (c) => {
+        // Prefer API key from Authorization header, fall back to IP
+        const authHeader = c.req.header('authorization');
+        if (authHeader?.startsWith('Bearer ')) {
+            return `api:${authHeader.slice(7)}`;
+        }
+        return `api:${getClientIp(c)}`;
+    },
+    handler: (c) => {
+        const ip = getClientIp(c);
+        const route = new URL(c.req.url).pathname;
+        log.warn('API rate limit exceeded', { ip, route });
+        return c.json({ error: 'Too Many Requests' }, 429);
+    },
+});
+//# sourceMappingURL=rate-limit.js.map

package/dist/middleware/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/middleware/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAEhD,MAAM,GAAG,GAAG,YAAY,CAAC,WAAW,CAAC,CAAC;AAEtC,4DAA4D;AAE5D;;GAEG;AACH,SAAS,WAAW,CAAC,CAAU;IAC7B,OAAO,CACL,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE;QACtD,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,kBAAkB,CAAC;QAChC,SAAS,CACV,CAAC;AACJ,CAAC;AAED,4DAA4D;AAE5D,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,EAAE,CAAC,CAAC;AAClE,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AAE1F,MAAM,CAAC,MAAM,aAAa,GAAG,WAAW,CAAC;IACvC,QAAQ,EAAE,cAAc;IACxB,KAAK,EAAE,QAAQ;IACf,eAAe,EAAE,SAAS;IAC1B,YAAY,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,WAAW,CAAC,CAAC,CAAC,EAAE;IAC7C,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;QACb,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC1B,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC,0BAA0B,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,GAAG,CAAC,CAAC;IACrD,CAAC;CACF,CAAC,CAAC;AAEH,4DAA4D;AAE5D,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,GAAG,CAAC,CAAC;AACjE,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC;AAEnF,MAAM,CAAC,MAAM,YAAY,GAAG,WAAW,CAAC;IACtC,QAAQ,EAAE,aAAa;IACvB,KAAK,EAAE,OAAO;IACd,eAAe,EAAE,SAAS;IAC1B,YAAY,EAAE,CAAC,CAAC,EAAE,EAAE;QAClB,4DAA4D;QAC5D,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QACjD,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACtC,OAAO,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QACtC,CAAC;QACD,OAAO,OAAO,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;IACjC,CAAC;IACD,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;QACb,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC1B,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QACnD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,GAAG,CAAC,CAAC;IACrD,CAAC;CACF,CAAC,CAAC"}

package/dist/middleware/rbac.d.ts

@@ -0,0 +1,30 @@
+/**
+ * RBAC Enforcement Middleware [F2-S2]
+ *
+ * Hono middleware factories that read c.var.auth.role (set by unified-auth)
+ * and enforce permission categories using the existing cloud/auth/rbac.ts module.
+ */
+import { type ActionCategory } from '../cloud/auth/rbac.js';
+import type { UnifiedAuthVariables } from './unified-auth.js';
+/**
+ * Require a minimum action category for the route.
+ * Reads role from c.var.auth.role (set by unified-auth).
+ */
+export declare function requireCategory(category: ActionCategory): import("hono").MiddlewareHandler<{
+    Variables: UnifiedAuthVariables;
+}, string, {}, Response>;
+/**
+ * Auto-categorize by HTTP method.
+ * GET/HEAD/OPTIONS → read; all others → write
+ */
+export declare function requireMethodCategory(): import("hono").MiddlewareHandler<{
+    Variables: UnifiedAuthVariables;
+}, string, {}, Response>;
+/**
+ * Map specific HTTP methods to action categories.
+ * Unlisted methods default to 'write'.
+ */
+export declare function requireCategoryByMethod(mapping: Partial<Record<string, ActionCategory>>): import("hono").MiddlewareHandler<{
+    Variables: UnifiedAuthVariables;
+}, string, {}, Response>;
+//# sourceMappingURL=rbac.d.ts.map

package/dist/middleware/rbac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.d.ts","sourceRoot":"","sources":["../../src/middleware/rbac.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAoC,KAAK,cAAc,EAAa,MAAM,uBAAuB,CAAC;AAEzG,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAe9D;;;GAGG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,cAAc;eACjB,oBAAoB;yBAgB1D;AAED;;;GAGG;AACH,wBAAgB,qBAAqB;eACE,oBAAoB;yBAoB1D;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;eACjD,oBAAoB;yBAmB1D"}

package/dist/middleware/rbac.js

@@ -0,0 +1,87 @@
+/**
+ * RBAC Enforcement Middleware [F2-S2]
+ *
+ * Hono middleware factories that read c.var.auth.role (set by unified-auth)
+ * and enforce permission categories using the existing cloud/auth/rbac.ts module.
+ */
+import { createMiddleware } from 'hono/factory';
+import { isRoleAllowed, PERMISSION_MATRIX } from '../cloud/auth/rbac.js';
+import { authRequired, insufficientPermissions } from './auth-errors.js';
+/**
+ * Get the minimum role required for a given action category.
+ */
+function minRoleForCategory(category) {
+    const roles = PERMISSION_MATRIX[category];
+    // Return the least-privileged role in the list
+    const hierarchy = ['viewer', 'member', 'admin', 'owner'];
+    for (const r of hierarchy) {
+        if (roles.includes(r))
+            return r;
+    }
+    return 'owner';
+}
+/**
+ * Require a minimum action category for the route.
+ * Reads role from c.var.auth.role (set by unified-auth).
+ */
+export function requireCategory(category) {
+    return createMiddleware(async (c, next) => {
+        const auth = c.var.auth;
+        if (!auth) {
+            return authRequired(c);
+        }
+        if (!isRoleAllowed(auth.role, category)) {
+            return insufficientPermissions(c, {
+                required: minRoleForCategory(category),
+                current: auth.role,
+                hint: `This action requires '${minRoleForCategory(category)}' role or higher. Your current role is '${auth.role}'.`,
+            });
+        }
+        return next();
+    });
+}
+/**
+ * Auto-categorize by HTTP method.
+ * GET/HEAD/OPTIONS → read; all others → write
+ */
+export function requireMethodCategory() {
+    return createMiddleware(async (c, next) => {
+        const auth = c.var.auth;
+        if (!auth) {
+            return authRequired(c);
+        }
+        const method = c.req.method;
+        const category = ['GET', 'HEAD', 'OPTIONS'].includes(method) ? 'read' : 'write';
+        if (!isRoleAllowed(auth.role, category)) {
+            return insufficientPermissions(c, {
+                required: minRoleForCategory(category),
+                current: auth.role,
+                hint: `${method} requires '${minRoleForCategory(category)}' role. Your role is '${auth.role}'.`,
+            });
+        }
+        return next();
+    });
+}
+/**
+ * Map specific HTTP methods to action categories.
+ * Unlisted methods default to 'write'.
+ */
+export function requireCategoryByMethod(mapping) {
+    return createMiddleware(async (c, next) => {
+        const auth = c.var.auth;
+        if (!auth) {
+            return authRequired(c);
+        }
+        const method = c.req.method;
+        const category = mapping[method] ?? 'write';
+        if (!isRoleAllowed(auth.role, category)) {
+            return insufficientPermissions(c, {
+                required: minRoleForCategory(category),
+                current: auth.role,
+                hint: `${method} on this resource requires '${minRoleForCategory(category)}' role. Your role is '${auth.role}'.`,
+            });
+        }
+        return next();
+    });
+}
+//# sourceMappingURL=rbac.js.map

package/dist/middleware/rbac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.js","sourceRoot":"","sources":["../../src/middleware/rbac.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAkC,MAAM,uBAAuB,CAAC;AACzG,OAAO,EAAE,YAAY,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAGzE;;GAEG;AACH,SAAS,kBAAkB,CAAC,QAAwB;IAClD,MAAM,KAAK,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAC1C,+CAA+C;IAC/C,MAAM,SAAS,GAAW,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IACjE,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;QAC1B,IAAI,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,QAAwB;IACtD,OAAO,gBAAgB,CAAsC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QAC7E,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;QACxB,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;QACzB,CAAC;QAED,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;YACxC,OAAO,uBAAuB,CAAC,CAAC,EAAE;gBAChC,QAAQ,EAAE,kBAAkB,CAAC,QAAQ,CAAC;gBACtC,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,IAAI,EAAE,yBAAyB,kBAAkB,CAAC,QAAQ,CAAC,2CAA2C,IAAI,CAAC,IAAI,IAAI;aACpH,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB;IACnC,OAAO,gBAAgB,CAAsC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QAC7E,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;QACxB,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;QACzB,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC;QAC5B,MAAM,QAAQ,GACZ,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;QAEjE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;YACxC,OAAO,uBAAuB,CAAC,CAAC,EAAE;gBAChC,QAAQ,EAAE,kBAAkB,CAAC,QAAQ,CAAC;gBACtC,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,IAAI,EAAE,GAAG,MAAM,cAAc,kBAAkB,CAAC,QAAQ,CAAC,yBAAyB,IAAI,CAAC,IAAI,IAAI;aAChG,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAgD;IACtF,OAAO,gBAAgB,CAAsC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QAC7E,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;QACxB,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;QACzB,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC;QAC5B,MAAM,QAAQ,GAAmB,OAAO,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC;QAE5D,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;YACxC,OAAO,uBAAuB,CAAC,CAAC,EAAE;gBAChC,QAAQ,EAAE,kBAAkB,CAAC,QAAQ,CAAC;gBACtC,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,IAAI,EAAE,GAAG,MAAM,+BAA+B,kBAAkB,CAAC,QAAQ,CAAC,yBAAyB,IAAI,CAAC,IAAI,IAAI;aACjH,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/middleware/security-headers.d.ts

@@ -0,0 +1,12 @@
+/**
+ * SH-5: CSP & Security Headers middleware.
+ *
+ * Applies security headers to ALL responses. Must be registered as the
+ * first middleware in the stack.
+ *
+ * CSP policy is overridable via the `CSP_POLICY` environment variable.
+ * When set, the raw string replaces the built-in CSP object.
+ */
+import type { MiddlewareHandler } from 'hono';
+export declare function securityHeadersMiddleware(): MiddlewareHandler;
+//# sourceMappingURL=security-headers.d.ts.map

package/dist/middleware/security-headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../src/middleware/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAO9C,wBAAgB,yBAAyB,IAAI,iBAAiB,CA8C7D"}