@agentlensai/server 0.11.0 → 0.14.0

package/dist/lib/secrets.js

@@ -0,0 +1,103 @@
+/**
+ * SH-7: Secret Management Hardening
+ *
+ * Resolves secrets from 3 tiers:
+ *   1. process.env[name]           — plain env var (default)
+ *   2. process.env[name + '_FILE'] — file path (Docker Secrets / K8s)
+ *   3. process.env[name + '_ARN']  — AWS Secrets Manager ARN
+ */
+import { readFileSync } from 'node:fs';
+import { createLogger } from './logger.js';
+const log = createLogger('Secrets');
+/**
+ * Resolve a single secret through the 3-tier hierarchy.
+ * Returns the resolved value or undefined.
+ */
+export async function resolveSecret(name) {
+    // Tier 1: plain env var
+    const plain = process.env[name];
+    if (plain !== undefined)
+        return plain;
+    // Tier 2: file-based (_FILE suffix)
+    const filePath = process.env[`${name}_FILE`];
+    if (filePath) {
+        try {
+            return readFileSync(filePath, 'utf-8').trim();
+        }
+        catch (err) {
+            throw new Error(`Secret ${name}: failed to read file "${filePath}": ${err instanceof Error ? err.message : err}`);
+        }
+    }
+    // Tier 3: AWS Secrets Manager (_ARN suffix)
+    const arn = process.env[`${name}_ARN`];
+    if (arn) {
+        return fetchFromAwsSecretsManager(arn, name);
+    }
+    return undefined;
+}
+/**
+ * Lazy-import AWS SDK and fetch secret value.
+ */
+async function fetchFromAwsSecretsManager(arn, name) {
+    try {
+        // @ts-ignore — optional dependency; fails gracefully at runtime
+        const mod = await import('@aws-sdk/client-secrets-manager').catch(() => {
+            throw new Error(`Secret ${name}: install @aws-sdk/client-secrets-manager to use ARN-based secrets`);
+        });
+        const { SecretsManagerClient, GetSecretValueCommand } = mod;
+        const client = new SecretsManagerClient({});
+        const response = await client.send(new GetSecretValueCommand({ SecretId: arn }));
+        const value = response.SecretString;
+        if (!value) {
+            throw new Error(`Secret ${name}: ARN "${arn}" returned no SecretString`);
+        }
+        return value;
+    }
+    catch (err) {
+        if (err instanceof Error && err.message.startsWith(`Secret ${name}:`))
+            throw err;
+        throw new Error(`Secret ${name}: AWS Secrets Manager fetch failed for "${arn}": ${err instanceof Error ? err.message : err}`);
+    }
+}
+/** Well-known secret names managed by this module. */
+export const MANAGED_SECRETS = [
+    { name: 'JWT_SECRET', required: true },
+    { name: 'OIDC_CLIENT_SECRET' },
+    { name: 'DATABASE_URL' },
+    { name: 'AGENTGATE_WEBHOOK_SECRET' },
+    { name: 'FORMBRIDGE_WEBHOOK_SECRET' },
+];
+/**
+ * Resolve all managed secrets at startup.
+ * - Sets resolved values back into process.env for downstream consumers.
+ * - Fails fast in production if required secrets are missing.
+ * - Warns in production if all secrets are plain env vars (no file/ARN).
+ */
+export async function resolveAllSecrets() {
+    const isProduction = process.env['NODE_ENV'] === 'production';
+    const resolved = {};
+    let allPlainEnv = true;
+    for (const spec of MANAGED_SECRETS) {
+        const { name } = spec;
+        // Track whether any secret uses file or ARN tier
+        if (process.env[`${name}_FILE`] || process.env[`${name}_ARN`]) {
+            allPlainEnv = false;
+        }
+        const value = await resolveSecret(name);
+        if (value !== undefined) {
+            resolved[name] = value;
+            // Inject into process.env so downstream code (config.ts, middleware) just reads env
+            process.env[name] = value;
+        }
+        else if (spec.required && isProduction) {
+            throw new Error(`FATAL: Required secret "${name}" is not set. ` +
+                `Provide ${name}, ${name}_FILE, or ${name}_ARN.`);
+        }
+    }
+    if (isProduction && allPlainEnv) {
+        log.warn('⚠️  All secrets are plain environment variables. ' +
+            'Consider using _FILE (Docker/K8s) or _ARN (AWS) for production hardening.');
+    }
+    return resolved;
+}
+//# sourceMappingURL=secrets.js.map

package/dist/lib/secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../src/lib/secrets.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;AAWpC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAAY;IAC9C,wBAAwB;IACxB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAEtC,oCAAoC;IACpC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,OAAO,CAAC,CAAC;IAC7C,IAAI,QAAQ,EAAE,CAAC;QACb,IAAI,CAAC;YACH,OAAO,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAChD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,UAAU,IAAI,0BAA0B,QAAQ,MAAM,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,CACjG,CAAC;QACJ,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,MAAM,CAAC,CAAC;IACvC,IAAI,GAAG,EAAE,CAAC;QACR,OAAO,0BAA0B,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC/C,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,0BAA0B,CAAC,GAAW,EAAE,IAAY;IACjE,IAAI,CAAC;QACH,gEAAgE;QAChE,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,iCAAiC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;YACrE,MAAM,IAAI,KAAK,CACb,UAAU,IAAI,oEAAoE,CACnF,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,MAAM,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,GAAG,GAAG,CAAC;QAC5D,MAAM,MAAM,GAAG,IAAI,oBAAoB,CAAC,EAAE,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAChC,IAAI,qBAAqB,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAC7C,CAAC;QACF,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC;QACpC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,UAAU,IAAI,UAAU,GAAG,4BAA4B,CAAC,CAAC;QAC3E,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAI,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,UAAU,IAAI,GAAG,CAAC;YAAE,MAAM,GAAG,CAAC;QACjF,MAAM,IAAI,KAAK,CACb,UAAU,IAAI,2CAA2C,GAAG,MAAM,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,CAC7G,CAAC;IACJ,CAAC;AACH,CAAC;AAED,sDAAsD;AACtD,MAAM,CAAC,MAAM,eAAe,GAAiB;IAC3C,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE;IACtC,EAAE,IAAI,EAAE,oBAAoB,EAAE;IAC9B,EAAE,IAAI,EAAE,cAAc,EAAE;IACxB,EAAE,IAAI,EAAE,0BAA0B,EAAE;IACpC,EAAE,IAAI,EAAE,2BAA2B,EAAE;CACtC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,CAAC;IAC9D,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,IAAI,WAAW,GAAG,IAAI,CAAC;IAEvB,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,MAAM,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC;QAEtB,iDAAiD;QACjD,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,OAAO,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC;YAC9D,WAAW,GAAG,KAAK,CAAC;QACtB,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,CAAC;QAExC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,QAAQ,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;YACvB,oFAAoF;YACpF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;QAC5B,CAAC;aAAM,IAAI,IAAI,CAAC,QAAQ,IAAI,YAAY,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CACb,2BAA2B,IAAI,gBAAgB;gBAC/C,WAAW,IAAI,KAAK,IAAI,aAAa,IAAI,OAAO,CACjD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,YAAY,IAAI,WAAW,EAAE,CAAC;QAChC,GAAG,CAAC,IAAI,CACN,mDAAmD;YACnD,2EAA2E,CAC5E,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/lib/threshold-monitor.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Threshold Monitor — detects metric breaches and fires webhooks.
+ *
+ * Part of the Proactive Guardrails feature (Batch 1, Story 1.2).
+ * Monitors configurable metric thresholds and fires webhooks on state transitions
+ * (ok→breached or breached→ok) to enable downstream systems (e.g. AgentGate)
+ * to tighten/relax approval policies automatically.
+ */
+export type MetricType = 'error_rate' | 'cost' | 'latency';
+export type WindowSize = '5m' | '15m' | '1h';
+export type ThresholdState = 'ok' | 'breached';
+export interface ThresholdConfig {
+    metric: MetricType;
+    value: number;
+    window: WindowSize;
+    webhookUrl: string;
+    agentId?: string;
+}
+export interface WebhookPayload {
+    event: 'breach' | 'recovery';
+    metric: MetricType;
+    currentValue: number;
+    threshold: number;
+    agentId: string | null;
+    timestamp: string;
+}
+/** Function signature for fetching current metric values */
+export type MetricsFetcher = (metric: MetricType, window: WindowSize, agentId?: string) => Promise<number>;
+export declare class ThresholdMonitor {
+    private thresholds;
+    private fetchMetric;
+    private states;
+    private timer;
+    private readonly checkIntervalMs;
+    constructor(thresholds: ThresholdConfig[], fetchMetric: MetricsFetcher, options?: {
+        checkIntervalMs?: number;
+    });
+    /** Unique key for a threshold config */
+    private key;
+    /** Start periodic checking */
+    start(): void;
+    /** Stop periodic checking */
+    stop(): void;
+    /** Get current state for a threshold */
+    getState(t: ThresholdConfig): ThresholdState;
+    /** Check all thresholds once */
+    checkAll(): Promise<void>;
+    /** Check a single threshold */
+    private checkOne;
+    /** Fire webhook with 3x retry and exponential backoff */
+    fireWebhook(url: string, payload: WebhookPayload): Promise<void>;
+}
+//# sourceMappingURL=threshold-monitor.d.ts.map

package/dist/lib/threshold-monitor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"threshold-monitor.d.ts","sourceRoot":"","sources":["../../src/lib/threshold-monitor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AASH,MAAM,MAAM,UAAU,GAAG,YAAY,GAAG,MAAM,GAAG,SAAS,CAAC;AAC3D,MAAM,MAAM,UAAU,GAAG,IAAI,GAAG,KAAK,GAAG,IAAI,CAAC;AAC7C,MAAM,MAAM,cAAc,GAAG,IAAI,GAAG,UAAU,CAAC;AAE/C,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,UAAU,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,UAAU,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,QAAQ,GAAG,UAAU,CAAC;IAC7B,MAAM,EAAE,UAAU,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,4DAA4D;AAC5D,MAAM,MAAM,cAAc,GAAG,CAC3B,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,UAAU,EAClB,OAAO,CAAC,EAAE,MAAM,KACb,OAAO,CAAC,MAAM,CAAC,CAAC;AAQrB,qBAAa,gBAAgB;IAMzB,OAAO,CAAC,UAAU;IAClB,OAAO,CAAC,WAAW;IANrB,OAAO,CAAC,MAAM,CAA0C;IACxD,OAAO,CAAC,KAAK,CAA+C;IAC5D,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;gBAG/B,UAAU,EAAE,eAAe,EAAE,EAC7B,WAAW,EAAE,cAAc,EACnC,OAAO,CAAC,EAAE;QAAE,eAAe,CAAC,EAAE,MAAM,CAAA;KAAE;IAUxC,wCAAwC;IACxC,OAAO,CAAC,GAAG;IAIX,8BAA8B;IAC9B,KAAK,IAAI,IAAI;IAOb,6BAA6B;IAC7B,IAAI,IAAI,IAAI;IAOZ,wCAAwC;IACxC,QAAQ,CAAC,CAAC,EAAE,eAAe,GAAG,cAAc;IAI5C,gCAAgC;IAC1B,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAI/B,+BAA+B;YACjB,QAAQ;IA0BtB,yDAAyD;IACnD,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;CA+BvE"}

package/dist/lib/threshold-monitor.js

@@ -0,0 +1,112 @@
+/**
+ * Threshold Monitor — detects metric breaches and fires webhooks.
+ *
+ * Part of the Proactive Guardrails feature (Batch 1, Story 1.2).
+ * Monitors configurable metric thresholds and fires webhooks on state transitions
+ * (ok→breached or breached→ok) to enable downstream systems (e.g. AgentGate)
+ * to tighten/relax approval policies automatically.
+ */
+import { createLogger } from './logger.js';
+import { isWebhookUrlAllowed } from './alert-engine.js';
+const log = createLogger('ThresholdMonitor');
+// ─── ThresholdMonitor ───────────────────────────────────────────────
+const DEFAULT_CHECK_INTERVAL_MS = 60_000;
+const MAX_RETRIES = 3;
+const BASE_RETRY_DELAY_MS = 1_000;
+export class ThresholdMonitor {
+    thresholds;
+    fetchMetric;
+    states = new Map();
+    timer = null;
+    checkIntervalMs;
+    constructor(thresholds, fetchMetric, options) {
+        this.thresholds = thresholds;
+        this.fetchMetric = fetchMetric;
+        this.checkIntervalMs = options?.checkIntervalMs ?? DEFAULT_CHECK_INTERVAL_MS;
+        // Initialize all thresholds to 'ok'
+        for (const t of thresholds) {
+            this.states.set(this.key(t), 'ok');
+        }
+    }
+    /** Unique key for a threshold config */
+    key(t) {
+        return `${t.metric}:${t.window}:${t.agentId ?? '*'}`;
+    }
+    /** Start periodic checking */
+    start() {
+        if (this.timer)
+            return;
+        this.timer = setInterval(() => this.checkAll(), this.checkIntervalMs);
+        this.timer.unref();
+        log.info(`ThresholdMonitor started (${this.thresholds.length} thresholds, ${this.checkIntervalMs}ms interval)`);
+    }
+    /** Stop periodic checking */
+    stop() {
+        if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = null;
+        }
+    }
+    /** Get current state for a threshold */
+    getState(t) {
+        return this.states.get(this.key(t)) ?? 'ok';
+    }
+    /** Check all thresholds once */
+    async checkAll() {
+        await Promise.allSettled(this.thresholds.map((t) => this.checkOne(t)));
+    }
+    /** Check a single threshold */
+    async checkOne(t) {
+        try {
+            const currentValue = await this.fetchMetric(t.metric, t.window, t.agentId);
+            const k = this.key(t);
+            const prevState = this.states.get(k) ?? 'ok';
+            const newState = currentValue > t.value ? 'breached' : 'ok';
+            if (prevState !== newState) {
+                this.states.set(k, newState);
+                const payload = {
+                    event: newState === 'breached' ? 'breach' : 'recovery',
+                    metric: t.metric,
+                    currentValue,
+                    threshold: t.value,
+                    agentId: t.agentId ?? null,
+                    timestamp: new Date().toISOString(),
+                };
+                log.info(`Threshold ${newState}: ${t.metric} = ${currentValue} (threshold: ${t.value})`);
+                await this.fireWebhook(t.webhookUrl, payload);
+            }
+        }
+        catch (err) {
+            log.error(`Failed to check threshold ${t.metric}: ${err}`);
+        }
+    }
+    /** Fire webhook with 3x retry and exponential backoff */
+    async fireWebhook(url, payload) {
+        if (!isWebhookUrlAllowed(url)) {
+            log.error(`Webhook URL blocked by SSRF protection: ${url}`);
+            return;
+        }
+        for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
+            try {
+                const res = await fetch(url, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify(payload),
+                });
+                if (res.ok) {
+                    return;
+                }
+                log.warn(`Webhook attempt ${attempt + 1} failed: HTTP ${res.status}`);
+            }
+            catch (err) {
+                log.warn(`Webhook attempt ${attempt + 1} error: ${err}`);
+            }
+            if (attempt < MAX_RETRIES - 1) {
+                const delay = BASE_RETRY_DELAY_MS * Math.pow(2, attempt);
+                await new Promise((r) => setTimeout(r, delay));
+            }
+        }
+        log.error(`Webhook delivery failed after ${MAX_RETRIES} attempts: ${url}`);
+    }
+}
+//# sourceMappingURL=threshold-monitor.js.map

package/dist/lib/threshold-monitor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"threshold-monitor.js","sourceRoot":"","sources":["../../src/lib/threshold-monitor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAExD,MAAM,GAAG,GAAG,YAAY,CAAC,kBAAkB,CAAC,CAAC;AAgC7C,uEAAuE;AAEvE,MAAM,yBAAyB,GAAG,MAAM,CAAC;AACzC,MAAM,WAAW,GAAG,CAAC,CAAC;AACtB,MAAM,mBAAmB,GAAG,KAAK,CAAC;AAElC,MAAM,OAAO,gBAAgB;IAMjB;IACA;IANF,MAAM,GAAgC,IAAI,GAAG,EAAE,CAAC;IAChD,KAAK,GAA0C,IAAI,CAAC;IAC3C,eAAe,CAAS;IAEzC,YACU,UAA6B,EAC7B,WAA2B,EACnC,OAAsC;QAF9B,eAAU,GAAV,UAAU,CAAmB;QAC7B,gBAAW,GAAX,WAAW,CAAgB;QAGnC,IAAI,CAAC,eAAe,GAAG,OAAO,EAAE,eAAe,IAAI,yBAAyB,CAAC;QAE7E,oCAAoC;QACpC,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,wCAAwC;IAChC,GAAG,CAAC,CAAkB;QAC5B,OAAO,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,OAAO,IAAI,GAAG,EAAE,CAAC;IACvD,CAAC;IAED,8BAA8B;IAC9B,KAAK;QACH,IAAI,IAAI,CAAC,KAAK;YAAE,OAAO;QACvB,IAAI,CAAC,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;QACtE,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACnB,GAAG,CAAC,IAAI,CAAC,6BAA6B,IAAI,CAAC,UAAU,CAAC,MAAM,gBAAgB,IAAI,CAAC,eAAe,cAAc,CAAC,CAAC;IAClH,CAAC;IAED,6BAA6B;IAC7B,IAAI;QACF,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC1B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,QAAQ,CAAC,CAAkB;QACzB,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC9C,CAAC;IAED,gCAAgC;IAChC,KAAK,CAAC,QAAQ;QACZ,MAAM,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACzE,CAAC;IAED,+BAA+B;IACvB,KAAK,CAAC,QAAQ,CAAC,CAAkB;QACvC,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC;YAC3E,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACtB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;YAC7C,MAAM,QAAQ,GAAmB,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;YAE5E,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAC3B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;gBAC7B,MAAM,OAAO,GAAmB;oBAC9B,KAAK,EAAE,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU;oBACtD,MAAM,EAAE,CAAC,CAAC,MAAM;oBAChB,YAAY;oBACZ,SAAS,EAAE,CAAC,CAAC,KAAK;oBAClB,OAAO,EAAE,CAAC,CAAC,OAAO,IAAI,IAAI;oBAC1B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACpC,CAAC;gBAEF,GAAG,CAAC,IAAI,CAAC,aAAa,QAAQ,KAAK,CAAC,CAAC,MAAM,MAAM,YAAY,gBAAgB,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC;gBACzF,MAAM,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,yDAAyD;IACzD,KAAK,CAAC,WAAW,CAAC,GAAW,EAAE,OAAuB;QACpD,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9B,GAAG,CAAC,KAAK,CAAC,2CAA2C,GAAG,EAAE,CAAC,CAAC;YAC5D,OAAO;QACT,CAAC;QAED,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,WAAW,EAAE,OAAO,EAAE,EAAE,CAAC;YACvD,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;oBAC3B,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;iBAC9B,CAAC,CAAC;gBAEH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;oBACX,OAAO;gBACT,CAAC;gBAED,GAAG,CAAC,IAAI,CAAC,mBAAmB,OAAO,GAAG,CAAC,iBAAiB,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;YACxE,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC,mBAAmB,OAAO,GAAG,CAAC,WAAW,GAAG,EAAE,CAAC,CAAC;YAC3D,CAAC;YAED,IAAI,OAAO,GAAG,WAAW,GAAG,CAAC,EAAE,CAAC;gBAC9B,MAAM,KAAK,GAAG,mBAAmB,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;gBACzD,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;YACjD,CAAC;QACH,CAAC;QAED,GAAG,CAAC,KAAK,CAAC,iCAAiC,WAAW,cAAc,GAAG,EAAE,CAAC,CAAC;IAC7E,CAAC;CACF"}

package/dist/middleware/audit.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Audit Logger Middleware (SH-2)
+ *
+ * Injects the audit logger into Hono context as `c.get('audit')`.
+ */
+import type { AuditLogger } from '../lib/audit.js';
+export type AuditVariables = {
+    audit: AuditLogger;
+};
+/**
+ * Create middleware that injects the audit logger into context.
+ */
+export declare function auditMiddleware(auditLogger: AuditLogger): import("hono").MiddlewareHandler<{
+    Variables: AuditVariables;
+}, string, {}, Response>;
+//# sourceMappingURL=audit.d.ts.map

package/dist/middleware/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/middleware/audit.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAEnD,MAAM,MAAM,cAAc,GAAG;IAC3B,KAAK,EAAE,WAAW,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,wBAAgB,eAAe,CAAC,WAAW,EAAE,WAAW;eACjB,cAAc;yBAIpD"}

package/dist/middleware/audit.js

@@ -0,0 +1,16 @@
+/**
+ * Audit Logger Middleware (SH-2)
+ *
+ * Injects the audit logger into Hono context as `c.get('audit')`.
+ */
+import { createMiddleware } from 'hono/factory';
+/**
+ * Create middleware that injects the audit logger into context.
+ */
+export function auditMiddleware(auditLogger) {
+    return createMiddleware(async (c, next) => {
+        c.set('audit', auditLogger);
+        return next();
+    });
+}
+//# sourceMappingURL=audit.js.map

package/dist/middleware/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/middleware/audit.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAOhD;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,WAAwB;IACtD,OAAO,gBAAgB,CAAgC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACvE,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAC5B,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/middleware/auth-errors.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Standardized auth error response builders (Story 6 / PRD §R5).
+ *
+ * All 401/403 responses share a consistent JSON structure with
+ * actionable `hint` fields. No stack traces or internals leaked.
+ */
+import type { Context } from 'hono';
+export declare function missingCredentials(c: Context): Response & import("hono").TypedResponse<{
+    error: string;
+    hint: string;
+    docs: string;
+    status: number;
+}, 401, "json">;
+export declare function invalidApiKey(c: Context): Response & import("hono").TypedResponse<{
+    error: string;
+    hint: string;
+    status: number;
+}, 401, "json">;
+export declare function expiredApiKey(c: Context): Response & import("hono").TypedResponse<{
+    error: string;
+    hint: string;
+    status: number;
+}, 401, "json">;
+export declare function expiredJwt(c: Context): Response & import("hono").TypedResponse<{
+    error: string;
+    hint: string;
+    status: number;
+}, 401, "json">;
+export declare function invalidJwt(c: Context): Response & import("hono").TypedResponse<{
+    error: string;
+    hint: string;
+    docs: string;
+    status: number;
+}, 401, "json">;
+export declare function invalidCloudKey(c: Context): Response & import("hono").TypedResponse<{
+    error: string;
+    hint: string;
+    status: number;
+}, 401, "json">;
+export declare function authRequired(c: Context): Response & import("hono").TypedResponse<{
+    error: string;
+    hint: string;
+    status: number;
+}, 401, "json">;
+export declare function otlpAuthRequired(c: Context): Response & import("hono").TypedResponse<{
+    error: string;
+    hint: string;
+    docs: string;
+    status: number;
+}, 401, "json">;
+export declare function otlpInvalidToken(c: Context): Response & import("hono").TypedResponse<{
+    error: string;
+    hint: string;
+    status: number;
+}, 401, "json">;
+export declare function insufficientPermissions(c: Context, opts: {
+    required: string;
+    current: string;
+    hint?: string;
+}): Response & import("hono").TypedResponse<{
+    error: string;
+    hint: string;
+    required: string;
+    current: string;
+    status: number;
+}, 403, "json">;
+//# sourceMappingURL=auth-errors.d.ts.map

package/dist/middleware/auth-errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-errors.d.ts","sourceRoot":"","sources":["../../src/middleware/auth-errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAIpC,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,OAAO;;;;;gBAO5C;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO;;;;gBAMvC;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO;;;;gBAMvC;AAED,wBAAgB,UAAU,CAAC,CAAC,EAAE,OAAO;;;;gBAMpC;AAED,wBAAgB,UAAU,CAAC,CAAC,EAAE,OAAO;;;;;gBAOpC;AAED,wBAAgB,eAAe,CAAC,CAAC,EAAE,OAAO;;;;gBAMzC;AAED,wBAAgB,YAAY,CAAC,CAAC,EAAE,OAAO;;;;gBAMtC;AAED,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,OAAO;;;;;gBAO1C;AAED,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,OAAO;;;;gBAM1C;AAID,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE;IACxD,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;;;;;;gBAQA"}

package/dist/middleware/auth-errors.js

@@ -0,0 +1,84 @@
+/**
+ * Standardized auth error response builders (Story 6 / PRD §R5).
+ *
+ * All 401/403 responses share a consistent JSON structure with
+ * actionable `hint` fields. No stack traces or internals leaked.
+ */
+// ── 401 Responses ──────────────────────────────────────────
+export function missingCredentials(c) {
+    return c.json({
+        error: 'Authentication required',
+        hint: "Provide an API key via 'Authorization: Bearer als_...' header, or log in via /auth/login",
+        docs: '/docs/authentication',
+        status: 401,
+    }, 401);
+}
+export function invalidApiKey(c) {
+    return c.json({
+        error: 'Invalid or revoked API key',
+        hint: 'This API key is no longer valid. Generate a new key at /api/keys.',
+        status: 401,
+    }, 401);
+}
+export function expiredApiKey(c) {
+    return c.json({
+        error: 'API key expired',
+        hint: 'This API key has been rotated and is no longer valid. Please use the new key.',
+        status: 401,
+    }, 401);
+}
+export function expiredJwt(c) {
+    return c.json({
+        error: 'Token expired',
+        hint: 'Your session has expired. Refresh via POST /auth/refresh or log in again.',
+        status: 401,
+    }, 401);
+}
+export function invalidJwt(c) {
+    return c.json({
+        error: 'Invalid token',
+        hint: 'The provided token is invalid. Log in again via /auth/login.',
+        docs: '/docs/authentication',
+        status: 401,
+    }, 401);
+}
+export function invalidCloudKey(c) {
+    return c.json({
+        error: 'Invalid or revoked API key',
+        hint: 'This cloud API key is no longer valid. Generate a new key in the dashboard.',
+        status: 401,
+    }, 401);
+}
+export function authRequired(c) {
+    return c.json({
+        error: 'Authentication required',
+        hint: 'No auth context found. This is likely a middleware ordering issue.',
+        status: 401,
+    }, 401);
+}
+export function otlpAuthRequired(c) {
+    return c.json({
+        error: 'Authentication required',
+        hint: "OTLP authentication is enabled. Provide a token via 'Authorization: Bearer <token>' header.",
+        docs: '/docs/otlp-auth',
+        status: 401,
+    }, 401);
+}
+export function otlpInvalidToken(c) {
+    return c.json({
+        error: 'Invalid OTLP token',
+        hint: 'The provided OTLP auth token does not match. Check your OTLP_AUTH_TOKEN configuration.',
+        status: 401,
+    }, 401);
+}
+// ── 403 Responses ──────────────────────────────────────────
+export function insufficientPermissions(c, opts) {
+    return c.json({
+        error: 'Insufficient permissions',
+        hint: opts.hint ?? `This action requires '${opts.required}' role or higher. Your current role is '${opts.current}'.`,
+        required: opts.required,
+        current: opts.current,
+        status: 403,
+    }, 403);
+}
+//# sourceMappingURL=auth-errors.js.map

package/dist/middleware/auth-errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-errors.js","sourceRoot":"","sources":["../../src/middleware/auth-errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,8DAA8D;AAE9D,MAAM,UAAU,kBAAkB,CAAC,CAAU;IAC3C,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,yBAAyB;QAChC,IAAI,EAAE,0FAA0F;QAChG,IAAI,EAAE,sBAAsB;QAC5B,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,CAAU;IACtC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,4BAA4B;QACnC,IAAI,EAAE,mEAAmE;QACzE,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,CAAU;IACtC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,iBAAiB;QACxB,IAAI,EAAE,+EAA+E;QACrF,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,CAAU;IACnC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,eAAe;QACtB,IAAI,EAAE,2EAA2E;QACjF,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,CAAU;IACnC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,eAAe;QACtB,IAAI,EAAE,8DAA8D;QACpE,IAAI,EAAE,sBAAsB;QAC5B,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,CAAU;IACxC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,4BAA4B;QACnC,IAAI,EAAE,6EAA6E;QACnF,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,CAAU;IACrC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,yBAAyB;QAChC,IAAI,EAAE,oEAAoE;QAC1E,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,CAAU;IACzC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,yBAAyB;QAChC,IAAI,EAAE,6FAA6F;QACnG,IAAI,EAAE,iBAAiB;QACvB,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,CAAU;IACzC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,oBAAoB;QAC3B,IAAI,EAAE,wFAAwF;QAC9F,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,8DAA8D;AAE9D,MAAM,UAAU,uBAAuB,CAAC,CAAU,EAAE,IAInD;IACC,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,0BAA0B;QACjC,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,yBAAyB,IAAI,CAAC,QAAQ,2CAA2C,IAAI,CAAC,OAAO,IAAI;QACpH,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM,EAAE,GAAG;KACZ,EAAE,GAAG,CAAC,CAAC;AACV,CAAC"}

package/dist/middleware/auth.d.ts

@@ -5,8 +5,11 @@
  * with SHA-256 and looking it up in the apiKeys table.
  *
  * When AUTH_DISABLED=true, authentication is skipped (dev mode).
+ *
+ * Supports both SQLite (sync) and PostgreSQL (async) backends via IApiKeyLookup.
  */
 import type { SqliteDb } from '../db/index.js';
+import type { IApiKeyLookup } from '../db/api-key-lookup.js';
 /**
  * API key info attached to the Hono context.
  */
@@ -29,10 +32,10 @@ export declare function hashApiKey(raw: string): string;
 /**
  * Create the auth middleware.
  *
- * @param db - Drizzle SQLite database instance
+ * @param dbOrLookup - Drizzle SQLite database instance OR IApiKeyLookup
  * @param authDisabled - If true, skip authentication (dev mode)
  */
-export declare function authMiddleware(db: SqliteDb, authDisabled: boolean): import("hono").MiddlewareHandler<{
+export declare function authMiddleware(dbOrLookup: SqliteDb | IApiKeyLookup, authDisabled: boolean): import("hono").MiddlewareHandler<{
     Variables: AuthVariables;
 }, string, {}, Response>;
 //# sourceMappingURL=auth.d.ts.map

package/dist/middleware/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAI/C;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,UAAU,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE9C;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,OAAO;eAC3B,aAAa;yBA2DnD"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAG/C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAE7D;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,UAAU,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE9C;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,QAAQ,GAAG,aAAa,EAAE,YAAY,EAAE,OAAO;eACnD,aAAa;yBAgFnD"}

package/dist/middleware/auth.js

@@ -5,6 +5,8 @@
  * with SHA-256 and looking it up in the apiKeys table.
  *
  * When AUTH_DISABLED=true, authentication is skipped (dev mode).
+ *
+ * Supports both SQLite (sync) and PostgreSQL (async) backends via IApiKeyLookup.
  */
 import { createHash } from 'node:crypto';
 import { createMiddleware } from 'hono/factory';
@@ -19,10 +21,10 @@ export function hashApiKey(raw) {
 /**
  * Create the auth middleware.
  *
- * @param db - Drizzle SQLite database instance
+ * @param dbOrLookup - Drizzle SQLite database instance OR IApiKeyLookup
  * @param authDisabled - If true, skip authentication (dev mode)
  */
-export function authMiddleware(db, authDisabled) {
+export function authMiddleware(dbOrLookup, authDisabled) {
     return createMiddleware(async (c, next) => {
         // Dev mode: skip auth
         if (authDisabled) {
@@ -39,7 +41,37 @@ export function authMiddleware(db, authDisabled) {
         }
         const rawKey = match[1];
         const keyHash = hashApiKey(rawKey);
-        // Look up the key by hash (not revoked)
+        // Determine if we have an IApiKeyLookup or a raw SQLite db
+        if ('findByHash' in dbOrLookup) {
+            // IApiKeyLookup path (works for both SQLite and PostgreSQL)
+            const lookup = dbOrLookup;
+            const row = await lookup.findByHash(keyHash);
+            if (!row) {
+                return c.json({ error: 'Invalid or revoked API key', status: 401 }, 401);
+            }
+            if (row.expiresAt) {
+                const now = Math.floor(Date.now() / 1000);
+                if (now > row.expiresAt) {
+                    return c.json({ error: 'This API key has been rotated and is no longer valid. Please use the new key.', status: 401 }, 401);
+                }
+            }
+            // Fire-and-forget lastUsedAt update
+            void lookup.updateLastUsed(row.id);
+            const scopes = (() => {
+                if (Array.isArray(row.scopes))
+                    return row.scopes;
+                try {
+                    return JSON.parse(row.scopes);
+                }
+                catch {
+                    return [];
+                }
+            })();
+            c.set('apiKey', { id: row.id, name: row.name, scopes, tenantId: row.tenantId });
+            return next();
+        }
+        // Legacy SQLite db path (backward compatible)
+        const db = dbOrLookup;
         const row = db
             .select()
             .from(apiKeys)
@@ -48,17 +80,17 @@ export function authMiddleware(db, authDisabled) {
         if (!row) {
             return c.json({ error: 'Invalid or revoked API key', status: 401 }, 401);
         }
-        // Fire-and-forget lastUsedAt update
+        if (row.expiresAt) {
+            const now = Math.floor(Date.now() / 1000);
+            if (now > row.expiresAt) {
+                return c.json({ error: 'This API key has been rotated and is no longer valid. Please use the new key.', status: 401 }, 401);
+            }
+        }
         const now = Math.floor(Date.now() / 1000);
         try {
-            db.update(apiKeys)
-                .set({ lastUsedAt: now })
-                .where(eq(apiKeys.id, row.id))
-                .run();
-        }
-        catch {
-            // Non-critical — don't fail the request
+            db.update(apiKeys).set({ lastUsedAt: now }).where(eq(apiKeys.id, row.id)).run();
         }
+        catch { /* non-critical */ }
         const scopes = (() => {
             try {
                 return JSON.parse(row.scopes);
@@ -67,12 +99,7 @@ export function authMiddleware(db, authDisabled) {
                 return [];
             }
         })();
-        c.set('apiKey', {
-            id: row.id,
-            name: row.name,
-            scopes,
-            tenantId: row.tenantId,
-        });
+        c.set('apiKey', { id: row.id, name: row.name, scopes, tenantId: row.tenantId });
         return next();
     });
 }

package/dist/middleware/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,OAAO,EAAE,OAAO,EAAE,MAAM,wBAAwB,CAAC;AACjD,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAmB9C;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,EAAY,EAAE,YAAqB;IAChE,OAAO,gBAAgB,CAA+B,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACtE,sBAAsB;QACtB,IAAI,YAAY,EAAE,CAAC;YACjB,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC;YACrF,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QACjD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAC7E,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACvD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+DAA+D,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAC9G,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;QACzB,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;QAEnC,wCAAwC;QACxC,MAAM,GAAG,GAAG,EAAE;aACX,MAAM,EAAE;aACR,IAAI,CAAC,OAAO,CAAC;aACb,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;aACnE,GAAG,EAAE,CAAC;QAET,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,4BAA4B,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAC3E,CAAC;QAED,oCAAoC;QACpC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC;YACH,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC;iBACf,GAAG,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;iBACxB,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;iBAC7B,GAAG,EAAE,CAAC;QACX,CAAC;QAAC,MAAM,CAAC;YACP,wCAAwC;QAC1C,CAAC;QAED,MAAM,MAAM,GAAa,CAAC,GAAG,EAAE;YAC7B,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAa,CAAC;YAC5C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,EAAE,CAAC;QAEL,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE;YACd,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,MAAM;YACN,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACvB,CAAC,CAAC;QAEH,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,OAAO,EAAE,OAAO,EAAE,MAAM,wBAAwB,CAAC;AACjD,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAoB9C;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,UAAoC,EAAE,YAAqB;IACxF,OAAO,gBAAgB,CAA+B,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACtE,sBAAsB;QACtB,IAAI,YAAY,EAAE,CAAC;YACjB,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC;YACrF,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QACjD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAC7E,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACvD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+DAA+D,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAC9G,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;QACzB,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;QAEnC,2DAA2D;QAC3D,IAAI,YAAY,IAAI,UAAU,EAAE,CAAC;YAC/B,4DAA4D;YAC5D,MAAM,MAAM,GAAG,UAA2B,CAAC;YAC3C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;YAE7C,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,4BAA4B,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;YAC3E,CAAC;YAED,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;gBAClB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;gBAC1C,IAAI,GAAG,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC;oBACxB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+EAA+E,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;gBAC9H,CAAC;YACH,CAAC;YAED,oCAAoC;YACpC,KAAK,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAEnC,MAAM,MAAM,GAAa,CAAC,GAAG,EAAE;gBAC7B,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC;oBAAE,OAAO,GAAG,CAAC,MAAM,CAAC;gBACjD,IAAI,CAAC;oBAAC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAgB,CAAa,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC;oBAAC,OAAO,EAAE,CAAC;gBAAC,CAAC;YACnF,CAAC,CAAC,EAAE,CAAC;YAEL,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;YAChF,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,8CAA8C;QAC9C,MAAM,EAAE,GAAG,UAAsB,CAAC;QAClC,MAAM,GAAG,GAAG,EAAE;aACX,MAAM,EAAE;aACR,IAAI,CAAC,OAAO,CAAC;aACb,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;aACnE,GAAG,EAAE,CAAC;QAET,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,4BAA4B,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAC3E,CAAC;QAED,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;YAClB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,IAAI,GAAG,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC;gBACxB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+EAA+E,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;YAC9H,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC;YACH,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;QAClF,CAAC;QAAC,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;QAE9B,MAAM,MAAM,GAAa,CAAC,GAAG,EAAE;YAC7B,IAAI,CAAC;gBAAC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAa,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC;gBAAC,OAAO,EAAE,CAAC;YAAC,CAAC;QACzE,CAAC,CAAC,EAAE,CAAC;QAEL,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;QAChF,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/middleware/body-limit.d.ts

@@ -0,0 +1,9 @@
+/**
+ * SH-3: Global Body Limit Middleware
+ *
+ * Applies a 1MB default body size limit to all API routes.
+ * Individual routes can override with their own bodyLimit (e.g., events uses 10MB).
+ */
+/** 1MB default body limit for API routes */
+export declare const apiBodyLimit: import("hono").MiddlewareHandler;
+//# sourceMappingURL=body-limit.d.ts.map