npm - @beignet/core - Versions diffs - 0.0.2 → 0.0.4 - Mend

@beignet/core 0.0.2 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (360) hide show

package/CHANGELOG.md +173 -0
package/README.md +821 -30
package/dist/application/index.d.ts +28 -2
package/dist/application/index.d.ts.map +1 -1
package/dist/application/index.js +140 -12
package/dist/application/index.js.map +1 -1
package/dist/client/client.d.ts +2 -2
package/dist/client/client.d.ts.map +1 -1
package/dist/client/client.js +136 -48
package/dist/client/client.js.map +1 -1
package/dist/client/error-messages.d.ts +14 -0
package/dist/client/error-messages.d.ts.map +1 -0
package/dist/client/error-messages.js +23 -0
package/dist/client/error-messages.js.map +1 -0
package/dist/client/index.d.ts +8 -4
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +6 -2
package/dist/client/index.js.map +1 -1
package/dist/client/types.d.ts +35 -5
package/dist/client/types.d.ts.map +1 -1
package/dist/client-only.d.ts +8 -0
package/dist/client-only.d.ts.map +1 -0
package/dist/client-only.js +8 -0
package/dist/client-only.js.map +1 -0
package/dist/config/index.d.ts +5 -5
package/dist/config/index.d.ts.map +1 -1
package/dist/config/index.js +2 -2
package/dist/config/index.js.map +1 -1
package/dist/contracts/catalog-errors.d.ts +27 -0
package/dist/contracts/catalog-errors.d.ts.map +1 -0
package/dist/contracts/catalog-errors.js +69 -0
package/dist/contracts/catalog-errors.js.map +1 -0
package/dist/contracts/contract-builder.d.ts +15 -12
package/dist/contracts/contract-builder.d.ts.map +1 -1
package/dist/contracts/contract-builder.js +15 -41
package/dist/contracts/contract-builder.js.map +1 -1
package/dist/contracts/contract-group.d.ts +11 -8
package/dist/contracts/contract-group.d.ts.map +1 -1
package/dist/contracts/contract-group.js +13 -40
package/dist/contracts/contract-group.js.map +1 -1
package/dist/contracts/contract-like.d.ts +1 -1
package/dist/contracts/contract-like.d.ts.map +1 -1
package/dist/contracts/index.d.ts +13 -9
package/dist/contracts/index.d.ts.map +1 -1
package/dist/contracts/index.js +9 -5
package/dist/contracts/index.js.map +1 -1
package/dist/contracts/openapi-meta.d.ts +48 -0
package/dist/contracts/openapi-meta.d.ts.map +1 -1
package/dist/contracts/openapi-meta.js +3 -0
package/dist/contracts/openapi-meta.js.map +1 -1
package/dist/contracts/path-template.d.ts +1 -1
package/dist/contracts/path-template.js +2 -2
package/dist/contracts/path-template.js.map +1 -1
package/dist/contracts/schema-shape.d.ts +37 -0
package/dist/contracts/schema-shape.d.ts.map +1 -0
package/dist/contracts/schema-shape.js +61 -0
package/dist/contracts/schema-shape.js.map +1 -0
package/dist/contracts/success-status.d.ts +32 -0
package/dist/contracts/success-status.d.ts.map +1 -0
package/dist/contracts/success-status.js +18 -0
package/dist/contracts/success-status.js.map +1 -0
package/dist/contracts/types.d.ts +25 -5
package/dist/contracts/types.d.ts.map +1 -1
package/dist/contracts/types.js.map +1 -1
package/dist/contracts/utils.d.ts +1 -1
package/dist/contracts/utils.d.ts.map +1 -1
package/dist/contracts/utils.js +1 -1
package/dist/contracts/utils.js.map +1 -1
package/dist/domain/events.d.ts +1 -1
package/dist/domain/events.d.ts.map +1 -1
package/dist/domain/events.js +1 -1
package/dist/domain/events.js.map +1 -1
package/dist/domain/index.d.ts +3 -3
package/dist/domain/index.d.ts.map +1 -1
package/dist/domain/index.js +3 -3
package/dist/domain/index.js.map +1 -1
package/dist/errors/catalog.d.ts +9 -1
package/dist/errors/catalog.d.ts.map +1 -1
package/dist/errors/catalog.js +7 -1
package/dist/errors/catalog.js.map +1 -1
package/dist/errors/http.d.ts +10 -0
package/dist/errors/http.d.ts.map +1 -1
package/dist/errors/http.js +11 -1
package/dist/errors/http.js.map +1 -1
package/dist/errors/index.d.ts +4 -4
package/dist/errors/index.d.ts.map +1 -1
package/dist/errors/index.js +4 -4
package/dist/errors/index.js.map +1 -1
package/dist/errors/response.d.ts +4 -1
package/dist/errors/response.d.ts.map +1 -1
package/dist/errors/response.js.map +1 -1
package/dist/events/index.d.ts +10 -12
package/dist/events/index.d.ts.map +1 -1
package/dist/events/index.js +10 -10
package/dist/events/index.js.map +1 -1
package/dist/idempotency/index.d.ts +5 -3
package/dist/idempotency/index.d.ts.map +1 -1
package/dist/idempotency/index.js.map +1 -1
package/dist/jobs/index.d.ts +148 -16
package/dist/jobs/index.d.ts.map +1 -1
package/dist/jobs/index.js +174 -14
package/dist/jobs/index.js.map +1 -1
package/dist/notifications/index.d.ts +14 -16
package/dist/notifications/index.d.ts.map +1 -1
package/dist/notifications/index.js +14 -14
package/dist/notifications/index.js.map +1 -1
package/dist/openapi/index.d.ts +8 -3
package/dist/openapi/index.d.ts.map +1 -1
package/dist/openapi/index.js +41 -29
package/dist/openapi/index.js.map +1 -1
package/dist/openapi/schema-introspector.d.ts +37 -0
package/dist/openapi/schema-introspector.d.ts.map +1 -1
package/dist/openapi/schema-introspector.js +23 -17
package/dist/openapi/schema-introspector.js.map +1 -1
package/dist/outbox/index.d.ts +18 -4
package/dist/outbox/index.d.ts.map +1 -1
package/dist/outbox/index.js +104 -4
package/dist/outbox/index.js.map +1 -1
package/dist/ports/audit.d.ts +56 -10
package/dist/ports/audit.d.ts.map +1 -1
package/dist/ports/audit.js +71 -3
package/dist/ports/audit.js.map +1 -1
package/dist/ports/auth.d.ts +92 -0
package/dist/ports/auth.d.ts.map +1 -1
package/dist/ports/auth.js +92 -0
package/dist/ports/auth.js.map +1 -1
package/dist/ports/events.d.ts +2 -2
package/dist/ports/events.d.ts.map +1 -1
package/dist/ports/index.d.ts +62 -33
package/dist/ports/index.d.ts.map +1 -1
package/dist/ports/index.js +28 -34
package/dist/ports/index.js.map +1 -1
package/dist/ports/policy.d.ts +32 -3
package/dist/ports/policy.d.ts.map +1 -1
package/dist/ports/policy.js +13 -2
package/dist/ports/policy.js.map +1 -1
package/dist/ports/testing.d.ts +1030 -2
package/dist/ports/testing.d.ts.map +1 -1
package/dist/ports/testing.js +1031 -1
package/dist/ports/testing.js.map +1 -1
package/dist/ports/unbound.d.ts +21 -0
package/dist/ports/unbound.d.ts.map +1 -0
package/dist/ports/unbound.js +57 -0
package/dist/ports/unbound.js.map +1 -0
package/dist/ports/unit-of-work.d.ts +1 -1
package/dist/ports/unit-of-work.d.ts.map +1 -1
package/dist/ports/unit-of-work.js +1 -1
package/dist/ports/unit-of-work.js.map +1 -1
package/dist/providers/index.d.ts +3 -2
package/dist/providers/index.d.ts.map +1 -1
package/dist/providers/index.js +3 -2
package/dist/providers/index.js.map +1 -1
package/dist/providers/instrumentation.d.ts +46 -5
package/dist/providers/instrumentation.d.ts.map +1 -1
package/dist/providers/instrumentation.js +25 -6
package/dist/providers/instrumentation.js.map +1 -1
package/dist/providers/metadata.d.ts +39 -0
package/dist/providers/metadata.d.ts.map +1 -0
package/dist/providers/metadata.js +169 -0
package/dist/providers/metadata.js.map +1 -0
package/dist/providers/provider.d.ts +114 -9
package/dist/providers/provider.d.ts.map +1 -1
package/dist/providers/provider.js +3 -20
package/dist/providers/provider.js.map +1 -1
package/dist/schedules/index.d.ts +94 -13
package/dist/schedules/index.d.ts.map +1 -1
package/dist/schedules/index.js +66 -12
package/dist/schedules/index.js.map +1 -1
package/dist/server/audit-context.d.ts +29 -0
package/dist/server/audit-context.d.ts.map +1 -0
package/dist/server/audit-context.js +44 -0
package/dist/server/audit-context.js.map +1 -0
package/dist/server/context.d.ts +141 -0
package/dist/server/context.d.ts.map +1 -0
package/dist/server/context.js +39 -0
package/dist/server/context.js.map +1 -0
package/dist/server/contract-like.d.ts +1 -1
package/dist/server/contract-like.d.ts.map +1 -1
package/dist/server/contract-like.js +1 -1
package/dist/server/contract-like.js.map +1 -1
package/dist/server/health.d.ts +2 -2
package/dist/server/health.d.ts.map +1 -1
package/dist/server/hooks/auth.d.ts +89 -65
package/dist/server/hooks/auth.d.ts.map +1 -1
package/dist/server/hooks/auth.js +84 -55
package/dist/server/hooks/auth.js.map +1 -1
package/dist/server/hooks/cors.d.ts +1 -1
package/dist/server/hooks/cors.d.ts.map +1 -1
package/dist/server/hooks/errors.d.ts +2 -2
package/dist/server/hooks/errors.d.ts.map +1 -1
package/dist/server/hooks/errors.js +2 -2
package/dist/server/hooks/errors.js.map +1 -1
package/dist/server/hooks/idempotency.d.ts +78 -0
package/dist/server/hooks/idempotency.d.ts.map +1 -0
package/dist/server/hooks/idempotency.js +154 -0
package/dist/server/hooks/idempotency.js.map +1 -0
package/dist/server/hooks/index.d.ts +8 -7
package/dist/server/hooks/index.d.ts.map +1 -1
package/dist/server/hooks/index.js +6 -5
package/dist/server/hooks/index.js.map +1 -1
package/dist/server/hooks/logging.d.ts +2 -2
package/dist/server/hooks/logging.d.ts.map +1 -1
package/dist/server/hooks/logging.js +1 -1
package/dist/server/hooks/logging.js.map +1 -1
package/dist/server/hooks/rate-limit.d.ts +25 -7
package/dist/server/hooks/rate-limit.d.ts.map +1 -1
package/dist/server/hooks/rate-limit.js +47 -12
package/dist/server/hooks/rate-limit.js.map +1 -1
package/dist/server/hooks.d.ts +1 -1
package/dist/server/hooks.d.ts.map +1 -1
package/dist/server/hooks.js +1 -1
package/dist/server/hooks.js.map +1 -1
package/dist/server/http.d.ts +84 -6
package/dist/server/http.d.ts.map +1 -1
package/dist/server/index.d.ts +36 -12
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +24 -8
package/dist/server/index.js.map +1 -1
package/dist/server/instrumentation.d.ts +108 -0
package/dist/server/instrumentation.d.ts.map +1 -0
package/dist/server/instrumentation.js +297 -0
package/dist/server/instrumentation.js.map +1 -0
package/dist/server/openapi.d.ts +3 -3
package/dist/server/openapi.d.ts.map +1 -1
package/dist/server/openapi.js +1 -1
package/dist/server/openapi.js.map +1 -1
package/dist/server/providers/index.d.ts +3 -3
package/dist/server/providers/index.d.ts.map +1 -1
package/dist/server/providers/index.js +3 -3
package/dist/server/providers/index.js.map +1 -1
package/dist/server/providers/loadProviderConfig.d.ts +2 -2
package/dist/server/providers/loadProviderConfig.d.ts.map +1 -1
package/dist/server/providers/loadProviderConfig.js +2 -2
package/dist/server/providers/loadProviderConfig.js.map +1 -1
package/dist/server/request-context.d.ts +67 -0
package/dist/server/request-context.d.ts.map +1 -0
package/dist/server/request-context.js +79 -0
package/dist/server/request-context.js.map +1 -0
package/dist/server/server-context.d.ts +38 -0
package/dist/server/server-context.d.ts.map +1 -0
package/dist/server/server-context.js +38 -0
package/dist/server/server-context.js.map +1 -0
package/dist/server/server.d.ts +148 -35
package/dist/server/server.d.ts.map +1 -1
package/dist/server/server.js +482 -145
package/dist/server/server.js.map +1 -1
package/dist/server/types.d.ts +2 -2
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js +2 -2
package/dist/server/types.js.map +1 -1
package/dist/server/use-case-route.d.ts +263 -0
package/dist/server/use-case-route.d.ts.map +1 -0
package/dist/server/use-case-route.js +77 -0
package/dist/server/use-case-route.js.map +1 -0
package/dist/server-only.d.ts +8 -0
package/dist/server-only.d.ts.map +1 -0
package/dist/server-only.js +8 -0
package/dist/server-only.js.map +1 -0
package/dist/tasks/index.d.ts +139 -0
package/dist/tasks/index.d.ts.map +1 -0
package/dist/tasks/index.js +98 -0
package/dist/tasks/index.js.map +1 -0
package/dist/testing/index.d.ts +611 -5
package/dist/testing/index.d.ts.map +1 -1
package/dist/testing/index.js +434 -4
package/dist/testing/index.js.map +1 -1
package/dist/tracing/index.d.ts +89 -0
package/dist/tracing/index.d.ts.map +1 -0
package/dist/tracing/index.js +101 -0
package/dist/tracing/index.js.map +1 -0
package/dist/uploads/client.d.ts +278 -0
package/dist/uploads/client.d.ts.map +1 -0
package/dist/uploads/client.js +428 -0
package/dist/uploads/client.js.map +1 -0
package/dist/uploads/index.d.ts +361 -0
package/dist/uploads/index.d.ts.map +1 -0
package/dist/uploads/index.js +543 -0
package/dist/uploads/index.js.map +1 -0
package/package.json +34 -3
package/src/application/index.ts +193 -10
package/src/client/client.ts +148 -150
package/src/client/error-messages.ts +35 -0
package/src/client/index.ts +12 -4
package/src/client/types.ts +44 -5
package/src/client-only.ts +7 -0
package/src/config/index.ts +6 -6
package/src/contracts/catalog-errors.ts +115 -0
package/src/contracts/contract-builder.ts +39 -76
package/src/contracts/contract-group.ts +33 -68
package/src/contracts/contract-like.ts +1 -1
package/src/contracts/index.ts +24 -11
package/src/contracts/openapi-meta.ts +55 -0
package/src/contracts/path-template.ts +2 -2
package/src/contracts/schema-shape.ts +75 -0
package/src/contracts/success-status.ts +68 -0
package/src/contracts/types.ts +32 -5
package/src/contracts/utils.ts +5 -2
package/src/domain/events.ts +6 -2
package/src/domain/index.ts +3 -3
package/src/errors/catalog.ts +9 -1
package/src/errors/http.ts +11 -1
package/src/errors/index.ts +4 -4
package/src/errors/response.ts +4 -1
package/src/events/index.ts +12 -26
package/src/idempotency/index.ts +5 -3
package/src/jobs/index.ts +340 -29
package/src/notifications/index.ts +17 -27
package/src/openapi/index.ts +73 -38
package/src/openapi/schema-introspector.ts +68 -17
package/src/outbox/index.ts +151 -6
package/src/ports/audit.ts +120 -11
package/src/ports/auth.ts +132 -0
package/src/ports/events.ts +2 -2
package/src/ports/index.ts +104 -35
package/src/ports/policy.ts +50 -3
package/src/ports/testing.ts +2220 -33
package/src/ports/unbound.ts +64 -0
package/src/ports/unit-of-work.ts +6 -2
package/src/providers/index.ts +16 -3
package/src/providers/instrumentation.ts +93 -8
package/src/providers/metadata.ts +234 -0
package/src/providers/provider.ts +168 -9
package/src/schedules/index.ts +173 -23
package/src/server/audit-context.ts +45 -0
package/src/server/context.ts +224 -0
package/src/server/contract-like.ts +1 -1
package/src/server/health.ts +2 -2
package/src/server/hooks/auth.ts +175 -158
package/src/server/hooks/cors.ts +1 -1
package/src/server/hooks/errors.ts +7 -4
package/src/server/hooks/idempotency.ts +263 -0
package/src/server/hooks/index.ts +15 -12
package/src/server/hooks/logging.ts +3 -3
package/src/server/hooks/rate-limit.ts +85 -17
package/src/server/hooks.ts +1 -1
package/src/server/http.ts +112 -6
package/src/server/index.ts +63 -12
package/src/server/instrumentation.ts +470 -0
package/src/server/openapi.ts +4 -4
package/src/server/providers/index.ts +6 -3
package/src/server/providers/loadProviderConfig.ts +4 -4
package/src/server/request-context.ts +116 -0
package/src/server/server-context.ts +44 -0
package/src/server/server.ts +1045 -229
package/src/server/types.ts +2 -2
package/src/server/use-case-route.ts +430 -0
package/src/server-only.ts +7 -0
package/src/tasks/index.ts +275 -0
package/src/testing/index.ts +1153 -6
package/src/tracing/index.ts +176 -0
package/src/uploads/client.ts +861 -0
package/src/uploads/index.ts +1071 -0
package/dist/ports/mailer.d.ts +0 -6
package/dist/ports/mailer.d.ts.map +0 -1
package/dist/ports/mailer.js +0 -2
package/dist/ports/mailer.js.map +0 -1
package/dist/ports/schedules.d.ts +0 -9
package/dist/ports/schedules.d.ts.map +0 -1
package/dist/ports/schedules.js +0 -2
package/dist/ports/schedules.js.map +0 -1

package/src/ports/audit.ts CHANGED Viewed

@@ -1,4 +1,8 @@
-import { redactValue } from "./redaction";
+import {
+  type ProviderInstrumentationTarget,
+  resolveProviderInstrumentationPort,
+} from "../providers/instrumentation.js";
+import { redactValue } from "./redaction.js";
 /**
  * The normalized category of actor that caused application activity.
@@ -111,10 +115,11 @@ export interface ActivityResource {
 /**
  * A normalized audit/activity log entry.
  *
- * Application code usually creates these through an app-owned helper such as
- * `auditEntry(ctx, { action, resource })` so actor, tenant, request ID, and
- * trace ID are copied from context consistently. Durability depends on the
- * `AuditLogPort` implementation.
+ * Application code usually records entries through an audit port wrapped with
+ * `createAmbientAuditLog(...)` from `@beignet/core/server`, which fills
+ * missing actor, tenant, request ID, and trace ID fields from the ambient
+ * request context at record time. Durability depends on the `AuditLogPort`
+ * implementation.
  */
 export interface AuditLogEntry {
   /**
@@ -165,14 +170,18 @@ export interface AuditLogEntry {
 /**
  * Input accepted by `AuditLogPort.record(...)`.
  *
- * `occurredAt` and `outcome` are optional at call sites. Adapters that store
- * audit entries should call `normalizeAuditLogEntry(...)` before persistence or
- * otherwise apply equivalent defaults.
+ * `actor`, `occurredAt`, and `outcome` are optional at call sites. Wrappers
+ * such as `createAmbientAuditLog(...)` fill a missing actor from the ambient
+ * request context. Adapters that store audit entries should call
+ * `normalizeAuditLogEntry(...)` before persistence or otherwise apply
+ * equivalent defaults; entries without an actor normalize to an anonymous
+ * actor.
  */
 export type AuditLogEntryInput = Omit<
   AuditLogEntry,
-  "occurredAt" | "outcome"
+  "actor" | "occurredAt" | "outcome"
 > & {
+  actor?: ActivityActor;
   occurredAt?: Date;
   outcome?: AuditOutcome;
 };
@@ -259,7 +268,7 @@ export function createServiceActor(
 /**
  * Create a system actor descriptor for framework or app-owned background work.
  *
- * Use this for scheduled tasks, scripts, maintenance jobs, and other work that
+ * Use this for schedules, scripts, maintenance jobs, and other work that
  * is not directly caused by a user or external service.
  *
  * @example
@@ -334,13 +343,15 @@ export function createTenant(
  * Fill default audit fields for an input entry.
  *
  * @param entry - Partial audit entry accepted by `AuditLogPort.record(...)`.
- * @returns A complete audit entry with `occurredAt` and `outcome` populated.
+ * @returns A complete audit entry with `actor`, `occurredAt`, and `outcome`
+ * populated. Entries without an actor default to an anonymous actor.
  */
 export function normalizeAuditLogEntry(
   entry: AuditLogEntryInput,
 ): AuditLogEntry {
   return {
     ...entry,
+    actor: entry.actor ?? createAnonymousActor(),
     occurredAt: entry.occurredAt ?? new Date(),
     outcome: entry.outcome ?? "success",
   };
@@ -409,6 +420,104 @@ export function createRedactedAuditLog(
   };
 }
+/**
+ * Options for wrapping an audit log with instrumentation emission.
+ */
+export interface InstrumentedAuditLogOptions {
+  /**
+   * Durable audit log to write first.
+   */
+  audit: AuditLogPort;
+  /**
+   * Instrumentation sink, port, or ports object. Pass the app ports object so
+   * the sink (`ports.instrumentation`, then `ports.devtools`) is resolved
+   * lazily on each write and observes provider startup order.
+   */
+  instrumentation?: ProviderInstrumentationTarget;
+  /**
+   * Whether to emit instrumentation events. Defaults to true.
+   */
+  emit?: boolean;
+  /**
+   * Optional app-owned redactor applied after Beignet's audit redaction.
+   */
+  redact?: (entry: AuditLogEntry) => AuditLogEntry;
+}
+function prepareInstrumentedEntry(
+  input: AuditLogEntryInput,
+  redact?: (entry: AuditLogEntry) => AuditLogEntry,
+): AuditLogEntry {
+  const redacted = redactAuditLogEntry(normalizeAuditLogEntry(input));
+  return redact ? redact(redacted) : redacted;
+}
+function auditSummary(entry: AuditLogEntry): string {
+  const resource = entry.resource?.id
+    ? `${entry.resource.type}:${entry.resource.id}`
+    : entry.resource?.type;
+  const outcome = entry.outcome === "failure" ? "failed" : "succeeded";
+  return resource
+    ? `${entry.action} ${outcome} for ${resource}`
+    : `${entry.action} ${outcome}`;
+}
+/**
+ * Wrap an audit log so durable audit writes also appear in instrumentation
+ * sinks such as devtools.
+ *
+ * Instrumentation failures are ignored so audit persistence remains the
+ * source of truth.
+ *
+ * @example
+ * ```ts
+ * const audit = createInstrumentedAuditLog({
+ *   audit: createDrizzleAuditLog(db),
+ *   instrumentation: ports,
+ * });
+ * ```
+ */
+export function createInstrumentedAuditLog(
+  options: InstrumentedAuditLogOptions,
+): AuditLogPort {
+  return {
+    async record(input) {
+      const entry = prepareInstrumentedEntry(input, options.redact);
+      await options.audit.record(entry);
+      if (options.emit === false) return;
+      const port = resolveProviderInstrumentationPort(options.instrumentation);
+      if (!port) return;
+      try {
+        port.record({
+          type: "custom",
+          watcher: "audit",
+          name: entry.action,
+          label: "Audit",
+          summary: auditSummary(entry),
+          requestId: entry.requestId,
+          traceId: entry.traceId,
+          details: {
+            action: entry.action,
+            actor: entry.actor,
+            tenant: entry.tenant,
+            resource: entry.resource,
+            outcome: entry.outcome,
+            message: entry.message,
+            metadata: entry.metadata,
+            occurredAt: entry.occurredAt.toISOString(),
+          },
+        });
+      } catch {
+        // Instrumentation is an observer; durable audit writes must not depend on it.
+      }
+    },
+  };
+}
 /**
  * Create an in-memory audit log for tests and local examples.
  *

package/src/ports/auth.ts CHANGED Viewed

@@ -1,3 +1,5 @@
+import type { ActivityTenant } from "./audit.js";
 /**
  * Minimal request shape consumed by Beignet auth ports.
  *
@@ -41,6 +43,136 @@ export class AuthUnauthorizedError extends Error {
   }
 }
+/**
+ * Error thrown by tenant helpers when a workflow requires a tenant scope but
+ * the current context has none.
+ *
+ * The server maps this to a framework-owned 403 response, mirroring how
+ * `AuthUnauthorizedError` maps to a framework-owned 401.
+ */
+export class TenantRequiredError extends Error {
+  readonly code = "TENANT_REQUIRED";
+  readonly status = 403;
+  constructor(message = "A tenant is required for this action.") {
+    super(message);
+    this.name = "TenantRequiredError";
+  }
+}
+/**
+ * Options accepted by the `requireX(ctx)` context helpers.
+ */
+export interface RequireOptions {
+  /**
+   * Create the error to throw instead of the framework default.
+   */
+  error?: () => unknown;
+}
+function throwRequired(
+  options: RequireOptions | undefined,
+  fallback: () => Error,
+): never {
+  throw options?.error ? options.error() : fallback();
+}
+/**
+ * Return the authenticated session from `ctx.auth` or throw.
+ *
+ * Throws `AuthUnauthorizedError` (a framework-owned 401) by default. Pass
+ * `options.error` to throw an app-owned error instead.
+ *
+ * @example
+ * ```ts
+ * const session = requireSession(ctx);
+ * ```
+ */
+export function requireSession<Session extends AuthSession>(
+  ctx: { auth?: Session | null },
+  options?: RequireOptions,
+): Session {
+  if (!ctx.auth) {
+    throwRequired(options, () => new AuthUnauthorizedError());
+  }
+  return ctx.auth;
+}
+/**
+ * Return the authenticated user from `ctx.auth` or throw.
+ *
+ * The user type is inferred from the app's `ctx.auth` session. Throws
+ * `AuthUnauthorizedError` (a framework-owned 401) by default.
+ *
+ * @example
+ * ```ts
+ * const user = requireUser(ctx);
+ * ```
+ */
+export function requireUser<User>(
+  ctx: { auth?: AuthSession<User> | null },
+  options?: RequireOptions,
+): User {
+  return requireSession(ctx, options).user;
+}
+/**
+ * Return the authenticated user's ID from `ctx.auth` or throw.
+ *
+ * Throws `AuthUnauthorizedError` (a framework-owned 401) by default.
+ *
+ * @example
+ * ```ts
+ * const userId = requireUserId(ctx);
+ * ```
+ */
+export function requireUserId(
+  ctx: { auth?: AuthSession<{ id: string }> | null },
+  options?: RequireOptions,
+): string {
+  return requireUser(ctx, options).id;
+}
+/**
+ * Return the tenant scope from `ctx.tenant` or throw.
+ *
+ * Throws `TenantRequiredError` (a framework-owned 403) by default. Pass
+ * `options.error` to throw an app-owned error instead.
+ *
+ * @example
+ * ```ts
+ * const tenant = requireTenant(ctx);
+ * ```
+ */
+export function requireTenant(
+  ctx: { tenant?: ActivityTenant | null },
+  options?: RequireOptions,
+): ActivityTenant {
+  if (!ctx.tenant) {
+    throwRequired(options, () => new TenantRequiredError());
+  }
+  return ctx.tenant;
+}
+/**
+ * Return the tenant ID from `ctx.tenant` or throw.
+ *
+ * Throws `TenantRequiredError` (a framework-owned 403) by default.
+ *
+ * @example
+ * ```ts
+ * const tenantId = requireTenantId(ctx);
+ * ```
+ */
+export function requireTenantId(
+  ctx: { tenant?: ActivityTenant | null },
+  options?: RequireOptions,
+): string {
+  return requireTenant(ctx, options).id;
+}
 /**
  * App-facing authentication port.
  *

package/src/ports/events.ts CHANGED Viewed

@@ -2,11 +2,11 @@ import type {
   EventPayloadDef,
   InferEventPayload as InferContractEventPayload,
   StandardSchema,
-} from "../events";
+} from "../events/index.js";
 import type {
   JobDef as ContractJobDef,
   InferJobPayload as InferContractJobPayload,
-} from "../jobs";
+} from "../jobs/index.js";
 /**
  * Represents a defined Domain Event with name and payload schema.

package/src/ports/index.ts CHANGED Viewed

@@ -27,9 +27,11 @@
  * - `@beignet/core/mail` owns `MailerPort` and mail test adapters
  * - `@beignet/core/notifications` owns notification helpers and test adapters
  * - `@beignet/core/outbox` owns durable outbox helpers and test adapters
- * - `@beignet/core/schedules` owns scheduled task definitions and runners
+ * - `@beignet/core/schedules` owns schedule definitions and runners
  */
+import { createUnboundPort } from "./unbound.js";
 /**
  * A generic map of named "ports" (outbound dependencies) that your
  * application depends on: db, mailer, cache, event bus, etc.
@@ -39,28 +41,78 @@
  */
 export type AnyPorts = Record<string, unknown>;
+/**
+ * Definition accepted by the curried `definePorts<P>()(...)` form.
+ */
+export type DeferredPortsDefinition<
+  P extends AnyPorts,
+  Deferred extends readonly (keyof P & string)[],
+> = {
+  /**
+   * Ports the app binds directly. Optional keys of `P` may be omitted here
+   * and contributed by providers instead.
+   */
+  bound: Omit<P, Deferred[number]>;
+  /**
+   * Port keys that providers contribute during server startup. Deferred keys
+   * boot as throwing placeholders; `createServer(...)` fails startup if any
+   * are still unbound after providers have started (see `onUnboundPorts`).
+   */
+  deferred: Deferred;
+};
 /**
  * Define the set of ports (outbound dependencies) for your application.
  *
- * This is essentially a typed identity function. It:
- * - captures the exact shape of the provided `ports` object
- * - allows you to export `type AppPorts = typeof appPorts` in your app
+ * The identity form captures the exact shape of the provided `ports` object
+ * so you can export `type AppPorts = typeof appPorts`.
+ *
+ * The curried form, `definePorts<AppPorts>()({ bound, deferred })`, declares
+ * which port keys providers contribute at server startup. Deferred keys boot
+ * as throwing placeholders instead of hand-written stubs, and
+ * `createServer(...)` validates after provider startup that nothing is left
+ * unbound. Optional keys of `AppPorts` may go in either bucket.
  *
  * @example
  * ```ts
+ * // Identity form: every port is bound directly.
  * const appPorts = definePorts({
  *   db: dbAdapter,
  *   mailer: mailerAdapter,
  * });
- *
  * export type AppPorts = typeof appPorts;
- * ```
  *
- * @param ports - The ports object to define
- * @returns The same ports object, unchanged
+ * // Deferred form: providers contribute the rest at startup.
+ * export const appPorts = definePorts<AppPorts>()({
+ *   bound: { gate },
+ *   deferred: ["db", "mailer", "storage"],
+ * });
+ * ```
  */
-export function definePorts<P extends AnyPorts>(ports: P): P {
-  return ports;
+export function definePorts<P extends AnyPorts>(ports: P): P;
+export function definePorts<P extends AnyPorts>(): <
+  const Deferred extends readonly (keyof P & string)[],
+>(
+  definition: DeferredPortsDefinition<P, Deferred>,
+) => P;
+export function definePorts<P extends AnyPorts>(
+  ports?: P,
+):
+  | P
+  | ((
+      definition: DeferredPortsDefinition<P, readonly (keyof P & string)[]>,
+    ) => P) {
+  if (ports !== undefined) {
+    return ports;
+  }
+  return (definition) => {
+    const result: AnyPorts = { ...(definition.bound as AnyPorts) };
+    for (const key of definition.deferred) {
+      result[key] = createUnboundPort(key);
+    }
+    return result as P;
+  };
 }
 /**
@@ -93,7 +145,7 @@ export type {
   IdempotencyPort,
   IdempotencyReservation,
   IdempotencyReserveInput,
-} from "../idempotency";
+} from "../idempotency/index.js";
 /**
  * Notification port exports.
  */
@@ -104,7 +156,7 @@ export type {
   NotificationPort,
   SendNotificationOptions,
   SendNotificationResult,
-} from "../notifications";
+} from "../notifications/index.js";
 /**
  * Transactional outbox port exports.
  */
@@ -118,7 +170,7 @@ export type {
   OutboxMessageKind,
   OutboxMessageStatus,
   OutboxPort,
-} from "../outbox";
+} from "../outbox/index.js";
 /**
  * Audit log port exports.
  */
@@ -134,13 +186,15 @@ export type {
   AuditLogOptions,
   AuditLogPort,
   AuditOutcome,
+  InstrumentedAuditLogOptions,
   MemoryAuditLogPort,
-} from "./audit";
+} from "./audit.js";
 /**
  * Audit log helper exports.
  */
 export {
   createAnonymousActor,
+  createInstrumentedAuditLog,
   createMemoryAuditLog,
   createRedactedAuditLog,
   createServiceActor,
@@ -149,7 +203,7 @@ export {
   createUserActor,
   normalizeAuditLogEntry,
   redactAuditLogEntry,
-} from "./audit";
+} from "./audit.js";
 /**
  * Auth port exports.
  */
@@ -157,8 +211,9 @@ export type {
   AuthPort,
   AuthRequestLike,
   AuthSession,
+  RequireOptions,
   StaticAuthSessionFactory,
-} from "./auth";
+} from "./auth.js";
 /**
  * Auth helper exports.
  */
@@ -166,7 +221,13 @@ export {
   AuthUnauthorizedError,
   createAnonymousAuth,
   createStaticAuth,
-} from "./auth";
+  requireSession,
+  requireTenant,
+  requireTenantId,
+  requireUser,
+  requireUserId,
+  TenantRequiredError,
+} from "./auth.js";
 /**
  * Ports builder exports.
  */
@@ -174,23 +235,23 @@ export {
   createPortsBuilder,
   type PortsBuilder,
   type PortsOf,
-} from "./builder";
+} from "./builder.js";
 /**
  * Cache port exports.
  */
-export type { CachePort, CacheSetOptions } from "./cache";
+export type { CachePort, CacheSetOptions } from "./cache.js";
 /**
  * Cache helper exports.
  */
-export { createMemoryCache } from "./cache";
+export { createMemoryCache } from "./cache.js";
 /**
  * Clock port exports.
  */
-export type { ClockPort, FrozenClockPort } from "./clock";
+export type { ClockPort, FrozenClockPort } from "./clock.js";
 /**
  * Clock helper exports.
  */
-export { createFrozenClock, createSystemClock } from "./clock";
+export { createFrozenClock, createSystemClock } from "./clock.js";
 /**
  * Event bus and job dispatcher port exports.
  */
@@ -201,18 +262,21 @@ export type {
   InferJobPayload,
   JobDef,
   JobDispatcherPort,
-} from "./events";
+} from "./events.js";
 /**
  * ID generator port exports.
  */
-export type { IdGeneratorPort, SequenceIdGeneratorPort } from "./id-generator";
+export type {
+  IdGeneratorPort,
+  SequenceIdGeneratorPort,
+} from "./id-generator.js";
 /**
  * ID generator helper exports.
  */
 export {
   createSequenceIdGenerator,
   createUuidIdGenerator,
-} from "./id-generator";
+} from "./id-generator.js";
 /**
  * Logger port exports.
  */
@@ -221,11 +285,11 @@ export type {
   LogLevel,
   MemoryLogEntry,
   MemoryLoggerPort,
-} from "./logger";
+} from "./logger.js";
 /**
  * Logger helper exports.
  */
-export { createMemoryLogger, createNoopLogger } from "./logger";
+export { createMemoryLogger, createNoopLogger } from "./logger.js";
 /**
  * Policy and authorization gate type exports.
  */
@@ -233,6 +297,7 @@ export type {
   BoundGate,
   CreateGateOptions,
   GateAllowedDecision,
+  GateContext,
   GateDecision,
   GateDeniedDecision,
   GateDenyHandler,
@@ -243,7 +308,7 @@ export type {
   PolicyMapFromDefinitions,
   PolicyResolver,
   PolicySubjectArgs,
-} from "./policy";
+} from "./policy.js";
 /**
  * Policy and authorization gate helper exports.
  */
@@ -253,7 +318,7 @@ export {
   definePolicy,
   deny,
   GateAuthorizationError,
-} from "./policy";
+} from "./policy.js";
 /**
  * Rate limit port exports.
  */
@@ -261,11 +326,11 @@ export type {
   RateLimitHitOptions,
   RateLimitPort,
   RateLimitResult,
-} from "./rate-limit";
+} from "./rate-limit.js";
 /**
  * Rate limit helper exports.
  */
-export { createMemoryRateLimiter } from "./rate-limit";
+export { createMemoryRateLimiter } from "./rate-limit.js";
 /**
  * Redaction helper exports.
  */
@@ -283,7 +348,7 @@ export {
   type Redactor,
   redactHeaders,
   redactValue,
-} from "./redaction";
+} from "./redaction.js";
 /**
  * Storage port exports.
  */
@@ -296,11 +361,15 @@ export type {
   StoragePort,
   StoragePutOptions,
   StorageVisibility,
-} from "./storage";
+} from "./storage.js";
 /**
  * Storage helper exports.
  */
-export { createMemoryStorage } from "./storage";
+export { createMemoryStorage } from "./storage.js";
+/**
+ * Unbound (deferred) port helper exports.
+ */
+export { createUnboundPort, isUnboundPort } from "./unbound.js";
 /**
  * Unit of Work port exports.
  */
@@ -313,4 +382,4 @@ export {
   type RecordedDomainEvent,
   type UnitOfWorkCallback,
   type UnitOfWorkPort,
-} from "./unit-of-work";
+} from "./unit-of-work.js";