npm - @beignet/core - Versions diffs - 0.0.2 → 0.0.4 - Mend

@beignet/core 0.0.2 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (360) hide show

package/CHANGELOG.md +173 -0
package/README.md +821 -30
package/dist/application/index.d.ts +28 -2
package/dist/application/index.d.ts.map +1 -1
package/dist/application/index.js +140 -12
package/dist/application/index.js.map +1 -1
package/dist/client/client.d.ts +2 -2
package/dist/client/client.d.ts.map +1 -1
package/dist/client/client.js +136 -48
package/dist/client/client.js.map +1 -1
package/dist/client/error-messages.d.ts +14 -0
package/dist/client/error-messages.d.ts.map +1 -0
package/dist/client/error-messages.js +23 -0
package/dist/client/error-messages.js.map +1 -0
package/dist/client/index.d.ts +8 -4
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +6 -2
package/dist/client/index.js.map +1 -1
package/dist/client/types.d.ts +35 -5
package/dist/client/types.d.ts.map +1 -1
package/dist/client-only.d.ts +8 -0
package/dist/client-only.d.ts.map +1 -0
package/dist/client-only.js +8 -0
package/dist/client-only.js.map +1 -0
package/dist/config/index.d.ts +5 -5
package/dist/config/index.d.ts.map +1 -1
package/dist/config/index.js +2 -2
package/dist/config/index.js.map +1 -1
package/dist/contracts/catalog-errors.d.ts +27 -0
package/dist/contracts/catalog-errors.d.ts.map +1 -0
package/dist/contracts/catalog-errors.js +69 -0
package/dist/contracts/catalog-errors.js.map +1 -0
package/dist/contracts/contract-builder.d.ts +15 -12
package/dist/contracts/contract-builder.d.ts.map +1 -1
package/dist/contracts/contract-builder.js +15 -41
package/dist/contracts/contract-builder.js.map +1 -1
package/dist/contracts/contract-group.d.ts +11 -8
package/dist/contracts/contract-group.d.ts.map +1 -1
package/dist/contracts/contract-group.js +13 -40
package/dist/contracts/contract-group.js.map +1 -1
package/dist/contracts/contract-like.d.ts +1 -1
package/dist/contracts/contract-like.d.ts.map +1 -1
package/dist/contracts/index.d.ts +13 -9
package/dist/contracts/index.d.ts.map +1 -1
package/dist/contracts/index.js +9 -5
package/dist/contracts/index.js.map +1 -1
package/dist/contracts/openapi-meta.d.ts +48 -0
package/dist/contracts/openapi-meta.d.ts.map +1 -1
package/dist/contracts/openapi-meta.js +3 -0
package/dist/contracts/openapi-meta.js.map +1 -1
package/dist/contracts/path-template.d.ts +1 -1
package/dist/contracts/path-template.js +2 -2
package/dist/contracts/path-template.js.map +1 -1
package/dist/contracts/schema-shape.d.ts +37 -0
package/dist/contracts/schema-shape.d.ts.map +1 -0
package/dist/contracts/schema-shape.js +61 -0
package/dist/contracts/schema-shape.js.map +1 -0
package/dist/contracts/success-status.d.ts +32 -0
package/dist/contracts/success-status.d.ts.map +1 -0
package/dist/contracts/success-status.js +18 -0
package/dist/contracts/success-status.js.map +1 -0
package/dist/contracts/types.d.ts +25 -5
package/dist/contracts/types.d.ts.map +1 -1
package/dist/contracts/types.js.map +1 -1
package/dist/contracts/utils.d.ts +1 -1
package/dist/contracts/utils.d.ts.map +1 -1
package/dist/contracts/utils.js +1 -1
package/dist/contracts/utils.js.map +1 -1
package/dist/domain/events.d.ts +1 -1
package/dist/domain/events.d.ts.map +1 -1
package/dist/domain/events.js +1 -1
package/dist/domain/events.js.map +1 -1
package/dist/domain/index.d.ts +3 -3
package/dist/domain/index.d.ts.map +1 -1
package/dist/domain/index.js +3 -3
package/dist/domain/index.js.map +1 -1
package/dist/errors/catalog.d.ts +9 -1
package/dist/errors/catalog.d.ts.map +1 -1
package/dist/errors/catalog.js +7 -1
package/dist/errors/catalog.js.map +1 -1
package/dist/errors/http.d.ts +10 -0
package/dist/errors/http.d.ts.map +1 -1
package/dist/errors/http.js +11 -1
package/dist/errors/http.js.map +1 -1
package/dist/errors/index.d.ts +4 -4
package/dist/errors/index.d.ts.map +1 -1
package/dist/errors/index.js +4 -4
package/dist/errors/index.js.map +1 -1
package/dist/errors/response.d.ts +4 -1
package/dist/errors/response.d.ts.map +1 -1
package/dist/errors/response.js.map +1 -1
package/dist/events/index.d.ts +10 -12
package/dist/events/index.d.ts.map +1 -1
package/dist/events/index.js +10 -10
package/dist/events/index.js.map +1 -1
package/dist/idempotency/index.d.ts +5 -3
package/dist/idempotency/index.d.ts.map +1 -1
package/dist/idempotency/index.js.map +1 -1
package/dist/jobs/index.d.ts +148 -16
package/dist/jobs/index.d.ts.map +1 -1
package/dist/jobs/index.js +174 -14
package/dist/jobs/index.js.map +1 -1
package/dist/notifications/index.d.ts +14 -16
package/dist/notifications/index.d.ts.map +1 -1
package/dist/notifications/index.js +14 -14
package/dist/notifications/index.js.map +1 -1
package/dist/openapi/index.d.ts +8 -3
package/dist/openapi/index.d.ts.map +1 -1
package/dist/openapi/index.js +41 -29
package/dist/openapi/index.js.map +1 -1
package/dist/openapi/schema-introspector.d.ts +37 -0
package/dist/openapi/schema-introspector.d.ts.map +1 -1
package/dist/openapi/schema-introspector.js +23 -17
package/dist/openapi/schema-introspector.js.map +1 -1
package/dist/outbox/index.d.ts +18 -4
package/dist/outbox/index.d.ts.map +1 -1
package/dist/outbox/index.js +104 -4
package/dist/outbox/index.js.map +1 -1
package/dist/ports/audit.d.ts +56 -10
package/dist/ports/audit.d.ts.map +1 -1
package/dist/ports/audit.js +71 -3
package/dist/ports/audit.js.map +1 -1
package/dist/ports/auth.d.ts +92 -0
package/dist/ports/auth.d.ts.map +1 -1
package/dist/ports/auth.js +92 -0
package/dist/ports/auth.js.map +1 -1
package/dist/ports/events.d.ts +2 -2
package/dist/ports/events.d.ts.map +1 -1
package/dist/ports/index.d.ts +62 -33
package/dist/ports/index.d.ts.map +1 -1
package/dist/ports/index.js +28 -34
package/dist/ports/index.js.map +1 -1
package/dist/ports/policy.d.ts +32 -3
package/dist/ports/policy.d.ts.map +1 -1
package/dist/ports/policy.js +13 -2
package/dist/ports/policy.js.map +1 -1
package/dist/ports/testing.d.ts +1030 -2
package/dist/ports/testing.d.ts.map +1 -1
package/dist/ports/testing.js +1031 -1
package/dist/ports/testing.js.map +1 -1
package/dist/ports/unbound.d.ts +21 -0
package/dist/ports/unbound.d.ts.map +1 -0
package/dist/ports/unbound.js +57 -0
package/dist/ports/unbound.js.map +1 -0
package/dist/ports/unit-of-work.d.ts +1 -1
package/dist/ports/unit-of-work.d.ts.map +1 -1
package/dist/ports/unit-of-work.js +1 -1
package/dist/ports/unit-of-work.js.map +1 -1
package/dist/providers/index.d.ts +3 -2
package/dist/providers/index.d.ts.map +1 -1
package/dist/providers/index.js +3 -2
package/dist/providers/index.js.map +1 -1
package/dist/providers/instrumentation.d.ts +46 -5
package/dist/providers/instrumentation.d.ts.map +1 -1
package/dist/providers/instrumentation.js +25 -6
package/dist/providers/instrumentation.js.map +1 -1
package/dist/providers/metadata.d.ts +39 -0
package/dist/providers/metadata.d.ts.map +1 -0
package/dist/providers/metadata.js +169 -0
package/dist/providers/metadata.js.map +1 -0
package/dist/providers/provider.d.ts +114 -9
package/dist/providers/provider.d.ts.map +1 -1
package/dist/providers/provider.js +3 -20
package/dist/providers/provider.js.map +1 -1
package/dist/schedules/index.d.ts +94 -13
package/dist/schedules/index.d.ts.map +1 -1
package/dist/schedules/index.js +66 -12
package/dist/schedules/index.js.map +1 -1
package/dist/server/audit-context.d.ts +29 -0
package/dist/server/audit-context.d.ts.map +1 -0
package/dist/server/audit-context.js +44 -0
package/dist/server/audit-context.js.map +1 -0
package/dist/server/context.d.ts +141 -0
package/dist/server/context.d.ts.map +1 -0
package/dist/server/context.js +39 -0
package/dist/server/context.js.map +1 -0
package/dist/server/contract-like.d.ts +1 -1
package/dist/server/contract-like.d.ts.map +1 -1
package/dist/server/contract-like.js +1 -1
package/dist/server/contract-like.js.map +1 -1
package/dist/server/health.d.ts +2 -2
package/dist/server/health.d.ts.map +1 -1
package/dist/server/hooks/auth.d.ts +89 -65
package/dist/server/hooks/auth.d.ts.map +1 -1
package/dist/server/hooks/auth.js +84 -55
package/dist/server/hooks/auth.js.map +1 -1
package/dist/server/hooks/cors.d.ts +1 -1
package/dist/server/hooks/cors.d.ts.map +1 -1
package/dist/server/hooks/errors.d.ts +2 -2
package/dist/server/hooks/errors.d.ts.map +1 -1
package/dist/server/hooks/errors.js +2 -2
package/dist/server/hooks/errors.js.map +1 -1
package/dist/server/hooks/idempotency.d.ts +78 -0
package/dist/server/hooks/idempotency.d.ts.map +1 -0
package/dist/server/hooks/idempotency.js +154 -0
package/dist/server/hooks/idempotency.js.map +1 -0
package/dist/server/hooks/index.d.ts +8 -7
package/dist/server/hooks/index.d.ts.map +1 -1
package/dist/server/hooks/index.js +6 -5
package/dist/server/hooks/index.js.map +1 -1
package/dist/server/hooks/logging.d.ts +2 -2
package/dist/server/hooks/logging.d.ts.map +1 -1
package/dist/server/hooks/logging.js +1 -1
package/dist/server/hooks/logging.js.map +1 -1
package/dist/server/hooks/rate-limit.d.ts +25 -7
package/dist/server/hooks/rate-limit.d.ts.map +1 -1
package/dist/server/hooks/rate-limit.js +47 -12
package/dist/server/hooks/rate-limit.js.map +1 -1
package/dist/server/hooks.d.ts +1 -1
package/dist/server/hooks.d.ts.map +1 -1
package/dist/server/hooks.js +1 -1
package/dist/server/hooks.js.map +1 -1
package/dist/server/http.d.ts +84 -6
package/dist/server/http.d.ts.map +1 -1
package/dist/server/index.d.ts +36 -12
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +24 -8
package/dist/server/index.js.map +1 -1
package/dist/server/instrumentation.d.ts +108 -0
package/dist/server/instrumentation.d.ts.map +1 -0
package/dist/server/instrumentation.js +297 -0
package/dist/server/instrumentation.js.map +1 -0
package/dist/server/openapi.d.ts +3 -3
package/dist/server/openapi.d.ts.map +1 -1
package/dist/server/openapi.js +1 -1
package/dist/server/openapi.js.map +1 -1
package/dist/server/providers/index.d.ts +3 -3
package/dist/server/providers/index.d.ts.map +1 -1
package/dist/server/providers/index.js +3 -3
package/dist/server/providers/index.js.map +1 -1
package/dist/server/providers/loadProviderConfig.d.ts +2 -2
package/dist/server/providers/loadProviderConfig.d.ts.map +1 -1
package/dist/server/providers/loadProviderConfig.js +2 -2
package/dist/server/providers/loadProviderConfig.js.map +1 -1
package/dist/server/request-context.d.ts +67 -0
package/dist/server/request-context.d.ts.map +1 -0
package/dist/server/request-context.js +79 -0
package/dist/server/request-context.js.map +1 -0
package/dist/server/server-context.d.ts +38 -0
package/dist/server/server-context.d.ts.map +1 -0
package/dist/server/server-context.js +38 -0
package/dist/server/server-context.js.map +1 -0
package/dist/server/server.d.ts +148 -35
package/dist/server/server.d.ts.map +1 -1
package/dist/server/server.js +482 -145
package/dist/server/server.js.map +1 -1
package/dist/server/types.d.ts +2 -2
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js +2 -2
package/dist/server/types.js.map +1 -1
package/dist/server/use-case-route.d.ts +263 -0
package/dist/server/use-case-route.d.ts.map +1 -0
package/dist/server/use-case-route.js +77 -0
package/dist/server/use-case-route.js.map +1 -0
package/dist/server-only.d.ts +8 -0
package/dist/server-only.d.ts.map +1 -0
package/dist/server-only.js +8 -0
package/dist/server-only.js.map +1 -0
package/dist/tasks/index.d.ts +139 -0
package/dist/tasks/index.d.ts.map +1 -0
package/dist/tasks/index.js +98 -0
package/dist/tasks/index.js.map +1 -0
package/dist/testing/index.d.ts +611 -5
package/dist/testing/index.d.ts.map +1 -1
package/dist/testing/index.js +434 -4
package/dist/testing/index.js.map +1 -1
package/dist/tracing/index.d.ts +89 -0
package/dist/tracing/index.d.ts.map +1 -0
package/dist/tracing/index.js +101 -0
package/dist/tracing/index.js.map +1 -0
package/dist/uploads/client.d.ts +278 -0
package/dist/uploads/client.d.ts.map +1 -0
package/dist/uploads/client.js +428 -0
package/dist/uploads/client.js.map +1 -0
package/dist/uploads/index.d.ts +361 -0
package/dist/uploads/index.d.ts.map +1 -0
package/dist/uploads/index.js +543 -0
package/dist/uploads/index.js.map +1 -0
package/package.json +34 -3
package/src/application/index.ts +193 -10
package/src/client/client.ts +148 -150
package/src/client/error-messages.ts +35 -0
package/src/client/index.ts +12 -4
package/src/client/types.ts +44 -5
package/src/client-only.ts +7 -0
package/src/config/index.ts +6 -6
package/src/contracts/catalog-errors.ts +115 -0
package/src/contracts/contract-builder.ts +39 -76
package/src/contracts/contract-group.ts +33 -68
package/src/contracts/contract-like.ts +1 -1
package/src/contracts/index.ts +24 -11
package/src/contracts/openapi-meta.ts +55 -0
package/src/contracts/path-template.ts +2 -2
package/src/contracts/schema-shape.ts +75 -0
package/src/contracts/success-status.ts +68 -0
package/src/contracts/types.ts +32 -5
package/src/contracts/utils.ts +5 -2
package/src/domain/events.ts +6 -2
package/src/domain/index.ts +3 -3
package/src/errors/catalog.ts +9 -1
package/src/errors/http.ts +11 -1
package/src/errors/index.ts +4 -4
package/src/errors/response.ts +4 -1
package/src/events/index.ts +12 -26
package/src/idempotency/index.ts +5 -3
package/src/jobs/index.ts +340 -29
package/src/notifications/index.ts +17 -27
package/src/openapi/index.ts +73 -38
package/src/openapi/schema-introspector.ts +68 -17
package/src/outbox/index.ts +151 -6
package/src/ports/audit.ts +120 -11
package/src/ports/auth.ts +132 -0
package/src/ports/events.ts +2 -2
package/src/ports/index.ts +104 -35
package/src/ports/policy.ts +50 -3
package/src/ports/testing.ts +2220 -33
package/src/ports/unbound.ts +64 -0
package/src/ports/unit-of-work.ts +6 -2
package/src/providers/index.ts +16 -3
package/src/providers/instrumentation.ts +93 -8
package/src/providers/metadata.ts +234 -0
package/src/providers/provider.ts +168 -9
package/src/schedules/index.ts +173 -23
package/src/server/audit-context.ts +45 -0
package/src/server/context.ts +224 -0
package/src/server/contract-like.ts +1 -1
package/src/server/health.ts +2 -2
package/src/server/hooks/auth.ts +175 -158
package/src/server/hooks/cors.ts +1 -1
package/src/server/hooks/errors.ts +7 -4
package/src/server/hooks/idempotency.ts +263 -0
package/src/server/hooks/index.ts +15 -12
package/src/server/hooks/logging.ts +3 -3
package/src/server/hooks/rate-limit.ts +85 -17
package/src/server/hooks.ts +1 -1
package/src/server/http.ts +112 -6
package/src/server/index.ts +63 -12
package/src/server/instrumentation.ts +470 -0
package/src/server/openapi.ts +4 -4
package/src/server/providers/index.ts +6 -3
package/src/server/providers/loadProviderConfig.ts +4 -4
package/src/server/request-context.ts +116 -0
package/src/server/server-context.ts +44 -0
package/src/server/server.ts +1045 -229
package/src/server/types.ts +2 -2
package/src/server/use-case-route.ts +430 -0
package/src/server-only.ts +7 -0
package/src/tasks/index.ts +275 -0
package/src/testing/index.ts +1153 -6
package/src/tracing/index.ts +176 -0
package/src/uploads/client.ts +861 -0
package/src/uploads/index.ts +1071 -0
package/dist/ports/mailer.d.ts +0 -6
package/dist/ports/mailer.d.ts.map +0 -1
package/dist/ports/mailer.js +0 -2
package/dist/ports/mailer.js.map +0 -1
package/dist/ports/schedules.d.ts +0 -9
package/dist/ports/schedules.d.ts.map +0 -1
package/dist/ports/schedules.js +0 -2
package/dist/ports/schedules.js.map +0 -1

package/src/server/context.ts ADDED Viewed

@@ -0,0 +1,224 @@
+import type { HttpContractConfig } from "../contracts/index.js";
+import type {
+  AnyPorts,
+  BoundGate,
+  GatePort,
+  PolicyDefinition,
+} from "../ports/index.js";
+import type { TraceContext } from "../tracing/index.js";
+import type { HttpRequestLike, MaybePromise } from "./http.js";
+/**
+ * Arguments passed to the `context.request` factory after a route is matched.
+ */
+export type RequestContextArgs<Ports extends AnyPorts = AnyPorts> = {
+  /**
+   * Framework-neutral request.
+   */
+  req: HttpRequestLike;
+  /**
+   * Final app ports, including ports contributed by providers.
+   */
+  ports: Ports;
+  /**
+   * Matched contract, when the request resolved to a registered route.
+   */
+  contract?: HttpContractConfig;
+  /**
+   * Request correlation ID resolved by the server from the configured request
+   * ID header, or generated when the request did not send one.
+   */
+  requestId: string;
+  /**
+   * W3C trace context resolved by the server from the incoming `traceparent`
+   * header, or generated when the request did not send one. Spread this into
+   * the context (`...trace`) to correlate downstream activity.
+   */
+  trace: TraceContext;
+};
+/**
+ * Arguments passed to the `context.service` factory.
+ */
+export type ServiceContextArgs<
+  Ports extends AnyPorts = AnyPorts,
+  ServiceInput = void,
+> = {
+  /**
+   * Final app ports, including ports contributed by providers.
+   */
+  ports: Ports;
+  /**
+   * Caller-provided input such as the service actor or tenant.
+   */
+  input: ServiceInput;
+  /**
+   * Fresh correlation ID generated for this service context.
+   */
+  requestId: string;
+  /**
+   * Fresh W3C trace context generated for this service context. Spread this
+   * into the context (`...trace`) to correlate downstream activity.
+   */
+  trace: TraceContext;
+};
+/**
+ * App context without its `gate` property.
+ *
+ * Context factories return seeds; the server attaches the gate declared by
+ * the blueprint's `gate` selector, so hand-binding `gate` in a factory is a
+ * type error.
+ */
+export type ContextSeed<Ctx> = Omit<Ctx, "gate"> & { gate?: never };
+type ContextGateOption<Ctx, Ports extends AnyPorts> = [Ctx] extends [
+  { gate: BoundGate<infer TPolicies extends readonly PolicyDefinition[]> },
+]
+  ? {
+      /**
+       * Select the gate port the server attaches to every context it builds.
+       */
+      gate: (ports: Ports) => GatePort<ContextSeed<Ctx>, TPolicies>;
+    }
+  : {
+      /**
+       * Gate selection is only available when the context type declares a
+       * `gate` property.
+       */
+      gate?: never;
+    };
+/**
+ * Context blueprint accepted by `createServer(...)`.
+ *
+ * The server owns context assembly: `request` and `service` return context
+ * seeds, and the server attaches the gate declared by `gate` so identity
+ * changes can never authorize against a stale context.
+ */
+export type ServerContextOptions<
+  Ctx,
+  Ports extends AnyPorts = AnyPorts,
+  ServiceInput = void,
+> = {
+  /**
+   * Build the per-request context seed.
+   */
+  request: (args: RequestContextArgs<Ports>) => MaybePromise<ContextSeed<Ctx>>;
+  /**
+   * Build a service context seed for schedules, outbox drains, tasks, and
+   * background work. Required before `server.createServiceContext(...)` can
+   * be called.
+   */
+  service?: (
+    args: ServiceContextArgs<Ports, ServiceInput>,
+  ) => MaybePromise<ContextSeed<Ctx>>;
+} & ContextGateOption<Ctx, Ports>;
+/**
+ * Context configuration accepted by `createServer(...)`.
+ *
+ * Contexts without a `gate` property may use the plain request-factory
+ * shorthand. Contexts with a `gate` must use the blueprint form so the server
+ * owns gate attachment.
+ */
+export type ServerContextConfig<
+  Ctx,
+  Ports extends AnyPorts = AnyPorts,
+  ServiceInput = void,
+> = [Ctx] extends [{ gate: unknown }]
+  ? ServerContextOptions<Ctx, Ports, ServiceInput>
+  :
+      | ((args: RequestContextArgs<Ports>) => MaybePromise<Ctx>)
+      | ServerContextOptions<Ctx, Ports, ServiceInput>;
+/**
+ * Argument tuple for `createServiceContext(...)`.
+ *
+ * Servers without a declared service input are callable with no arguments;
+ * optional inputs stay optional at the call site.
+ */
+export type ServiceContextInputArgs<ServiceInput> = [ServiceInput] extends [
+  // biome-ignore lint/suspicious/noConfusingVoidType: void marks "no declared service input" here
+  void,
+]
+  ? []
+  : undefined extends ServiceInput
+    ? [input?: ServiceInput]
+    : [input: ServiceInput];
+type AnyGateSelector<Ports extends AnyPorts> = (
+  ports: Ports,
+) => Pick<GatePort<unknown>, "attach">;
+/**
+ * Normalized runtime view of a server context configuration.
+ */
+export type ResolvedServerContext<Ctx, Ports extends AnyPorts, ServiceInput> = {
+  request: (
+    args: RequestContextArgs<Ports>,
+  ) => MaybePromise<ContextSeed<Ctx> | Ctx>;
+  service?: (
+    args: ServiceContextArgs<Ports, ServiceInput>,
+  ) => MaybePromise<ContextSeed<Ctx>>;
+  gate?: AnyGateSelector<Ports>;
+};
+/**
+ * Normalize a server context configuration into its runtime parts.
+ */
+export function resolveServerContext<Ctx, Ports extends AnyPorts, ServiceInput>(
+  config: ServerContextConfig<Ctx, Ports, ServiceInput>,
+): ResolvedServerContext<Ctx, Ports, ServiceInput> {
+  const value = config as
+    | ((args: RequestContextArgs<Ports>) => MaybePromise<Ctx>)
+    | (ResolvedServerContext<Ctx, Ports, ServiceInput> & {
+        gate?: AnyGateSelector<Ports>;
+      });
+  if (typeof value === "function") {
+    return { request: value };
+  }
+  return {
+    request: value.request,
+    service: value.service,
+    gate: value.gate,
+  };
+}
+/**
+ * Create the context finalizer for a resolved server context.
+ *
+ * When the blueprint declares a gate, the finalizer strips hand-assigned
+ * `gate` values from seeds and attaches the live gate. Without a gate
+ * declaration the seed is the context.
+ */
+export function createContextFinalizer<
+  Ctx,
+  Ports extends AnyPorts,
+  ServiceInput,
+>(
+  resolved: ResolvedServerContext<Ctx, Ports, ServiceInput>,
+  getPorts: () => Ports,
+): (seed: ContextSeed<Ctx> | Ctx) => Ctx {
+  const gateSelector = resolved.gate;
+  if (!gateSelector) {
+    return (seed) => seed as Ctx;
+  }
+  return (seed) => {
+    const target = seed as object;
+    const existing = Object.getOwnPropertyDescriptor(target, "gate");
+    if (existing && existing.get === undefined) {
+      if (process.env.NODE_ENV !== "production") {
+        console.warn(
+          "[beignet] Ignoring a hand-assigned ctx.gate value. The server context blueprint owns gate attachment; remove `gate` from context factories and hook additions.",
+        );
+      }
+      delete (target as { gate?: unknown }).gate;
+    }
+    return gateSelector(getPorts()).attach(target) as Ctx;
+  };
+}

package/src/server/contract-like.ts CHANGED Viewed

@@ -5,4 +5,4 @@ export {
   type ContractLike,
   type ResolveContract,
   resolveContract,
-} from "../contracts";
+} from "../contracts/index.js";

package/src/server/health.ts CHANGED Viewed

@@ -3,8 +3,8 @@
  * Health check handler for Beignet server adapters.
  */
-import type { AnyPorts } from "../ports";
-import type { HttpRequestLike, HttpResponseLike } from "./types";
+import type { AnyPorts } from "../ports/index.js";
+import type { HttpRequestLike, HttpResponseLike } from "./types.js";
 /**
  * Health check result returned by health handlers.

package/src/server/hooks/auth.ts CHANGED Viewed

@@ -1,205 +1,222 @@
-import {
-  type AuthPort,
-  type AuthSession,
-  AuthUnauthorizedError,
-} from "../../ports";
-import type { HttpRequestLike, HttpResponse, ServerHook } from "../types";
+import type { InferOutput, StandardSchema } from "../../contracts/index.js";
+import { AuthUnauthorizedError } from "../../ports/index.js";
+import type { HttpRequestLike, RouteHook } from "../types.js";
 type MaybePromise<T> = T | Promise<T>;
 /**
- * Authentication mode for one matched contract.
+ * Arguments passed to auth route-hook callbacks.
  */
-export type AuthHookMode = "public" | "optional" | "required";
-/**
- * Input accepted when resolving auth mode from contract metadata or options.
- *
- * `true` maps to `"required"`; `false`, `null`, and `undefined` map to
- * `"public"`.
- */
-export type AuthHookModeInput = AuthHookMode | boolean | null | undefined;
-/**
- * Minimal context shape required when `createAuthHooks(...)` reads
- * `ctx.ports.auth`.
- */
-export type CtxWithAuthPort = {
-  ports: {
-    auth: AuthPort;
-  };
-};
-/**
- * Arguments passed to auth hook callbacks.
- */
-export type AuthHookArgs<Ctx> = {
+export type AuthHookArgs<
+  Ctx,
+  HeadersSchema extends StandardSchema | undefined = undefined,
+> = {
+  /**
+   * Framework-neutral request.
+   */
   req: HttpRequestLike;
+  /**
+   * Current route handler context.
+   */
   ctx: Ctx;
+  /**
+   * Matched contract metadata and schemas.
+   */
   contract: {
     metadata?: Record<string, unknown>;
   };
+  /**
+   * Parsed path parameters.
+   */
   path: unknown;
+  /**
+   * Parsed query parameters.
+   */
   query: unknown;
-  headers: unknown;
+  /**
+   * Hook-owned request headers.
+   *
+   * When the auth hooks declare a `headers` schema, this is that schema's
+   * output parsed from the raw lowercase request header record. Without a
+   * schema it is the raw lowercase header record itself, so auth resolution
+   * never depends on each route's contract header schema.
+   */
+  headers: HeadersSchema extends StandardSchema
+    ? InferOutput<HeadersSchema>
+    : Record<string, string>;
+  /**
+   * Parsed request body.
+   */
   body: unknown;
 };
 /**
- * Arguments passed to the auth `assign` callback.
- */
-export type AuthHookAssignArgs<Ctx, Session> = AuthHookArgs<Ctx> & {
-  session: Session | null;
-};
-/**
- * Arguments passed to the auth `unauthorized` callback.
- */
-export type AuthHookUnauthorizedArgs<Ctx, Session> = AuthHookArgs<Ctx> & {
-  session: Session | null;
-};
-/**
- * Options for `createAuthHooks(...)`.
+ * Options for route-scoped auth hooks.
+ *
+ * Auth additions must not include `gate`: the server re-attaches the gate
+ * declared by the context blueprint after every hook, so elevated identities
+ * are authorized against the updated context automatically.
  */
-export type AuthHooksOptions<Ctx, Session> = {
+export type AuthHooksOptions<
+  Ctx,
+  AddedCtx extends object & { gate?: never },
+  HeadersSchema extends StandardSchema | undefined = undefined,
+> = {
   /**
-   * Hook name used in diagnostics.
+   * Hook name prefix used in diagnostics.
    */
   name?: string;
   /**
-   * Resolve whether the current contract is public, optional-auth, or required-auth.
+   * Optional Standard Schema for the credential headers this hook reads.
+   *
+   * The schema is validated against the raw lowercase request header record
+   * before `resolve` runs. On `required()` hooks a schema failure rejects the
+   * request with a framework-owned 401; on `optional()` hooks a schema failure
+   * skips auth resolution; `public()` hooks never parse headers.
    */
-  mode?: (args: AuthHookArgs<Ctx>) => MaybePromise<AuthHookModeInput>;
+  headers?: HeadersSchema;
   /**
-   * Custom session lookup. Required when context does not expose
-   * `ctx.ports.auth`.
+   * Resolve authenticated context additions for the current request.
+   *
+   * Return `null` when the request is unauthenticated. Required hooks will
+   * reject that request; optional hooks will add no auth context.
    */
-  getSession?: (args: AuthHookArgs<Ctx>) => MaybePromise<Session | null>;
+  resolve: (
+    args: AuthHookArgs<Ctx, HeadersSchema>,
+  ) => MaybePromise<AddedCtx | null>;
+};
+/**
+ * Route-scoped auth hook set.
+ */
+export type AuthRouteHooks<Ctx, AddedCtx extends object & { gate?: never }> = {
   /**
-   * Decide whether a resolved session counts as authenticated.
+   * Mark a route as intentionally public.
    */
-  isAuthenticated?: (session: Session | null) => boolean;
+  public: () => RouteHook<Ctx, Record<string, never>>;
   /**
-   * Return an updated context with auth/session fields attached.
+   * Resolve auth when present and add optional auth fields to the handler ctx.
    */
-  assign?: (args: AuthHookAssignArgs<Ctx, Session>) => MaybePromise<Ctx>;
+  optional: () => RouteHook<Ctx, Partial<AddedCtx>>;
   /**
-   * Return a custom unauthorized response for required-auth routes.
+   * Require auth and add authenticated fields to the handler ctx.
    */
-  unauthorized?: (
-    args: AuthHookUnauthorizedArgs<Ctx, Session>,
-  ) => MaybePromise<HttpResponse>;
+  required: () => RouteHook<Ctx, AddedCtx>;
 };
-type InferAuthSession<TAuth> =
-  TAuth extends AuthPort<infer User, infer SessionMetadata>
-    ? AuthSession<User, SessionMetadata>
-    : unknown;
-function modeFromInput(input: AuthHookModeInput): AuthHookMode {
-  if (input === true || input === "required") return "required";
-  if (input === "optional") return "optional";
-  return "public";
+function rawRequestHeaders(req: HttpRequestLike): Record<string, string> {
+  const record: Record<string, string> = {};
+  req.headers.forEach((value, key) => {
+    record[key.toLowerCase()] = value;
+  });
+  return record;
 }
-function defaultMode<Ctx>(args: AuthHookArgs<Ctx>): AuthHookMode {
-  return modeFromInput(args.contract.metadata?.auth as AuthHookModeInput);
-}
+type ParsedAuthHeaders = { ok: true; headers: unknown } | { ok: false };
-async function defaultGetSession<Ctx>(
-  args: AuthHookArgs<Ctx>,
-): Promise<unknown | null> {
-  const auth = (args.ctx as { ports?: { auth?: AuthPort } }).ports?.auth;
-  if (!auth) {
-    throw new Error(
-      "createAuthHooks requires ctx.ports.auth or an explicit getSession option.",
-    );
+async function parseAuthHeaders(
+  schema: StandardSchema | undefined,
+  req: HttpRequestLike,
+): Promise<ParsedAuthHeaders> {
+  const raw = rawRequestHeaders(req);
+  if (!schema) {
+    return { ok: true, headers: raw };
   }
-  return auth.getSession(args.req);
-}
+  const result = await schema["~standard"].validate(raw);
+  if (result.issues) {
+    return { ok: false };
+  }
-function defaultIsAuthenticated<Session>(session: Session | null): boolean {
-  return session !== null;
+  return { ok: true, headers: result.value };
 }
 /**
- * Create metadata-driven authentication hooks.
+ * Create route-scoped authentication hooks.
+ *
+ * The outer call binds the app context; the inner call takes auth options and
+ * infers the added context from `resolve`:
+ *
+ * ```ts
+ * const auth = createAuthHooks<AppContext>()({
+ *   resolve: ({ ctx }) => (ctx.auth ? { user: ctx.auth.user } : null),
+ * });
+ * ```
+ *
+ * Use `auth.required()` on routes that require an authenticated actor and
+ * `auth.optional()` where handlers can use auth when present. The returned
+ * route hooks enrich handler `ctx`; business authorization still belongs in
+ * feature policies or use cases.
  *
- * By default the hook reads `contract.metadata.auth`: `"required"` or `true`
- * requires an authenticated session, `"optional"` attaches a session when one
- * exists, and missing/false metadata treats the route as public. The hook
- * identifies a user; business authorization still belongs in policies or use
- * cases.
+ * Declare a `headers` schema when credentials live in request headers. The
+ * hook validates the raw lowercase header record itself, so `resolve` receives
+ * typed headers without contract casts and a `required()` hook rejects
+ * missing or malformed credentials with a framework-owned 401.
  *
- * @param options - Optional auth mode, session lookup, context assignment, and
- * unauthorized response customization.
- * @returns A server hook that runs before route handlers.
+ * @returns A function that takes auth options and returns public, optional,
+ * and required route-hook factories.
  */
-export function createAuthHooks<Ctx extends CtxWithAuthPort>(
-  options?: AuthHooksOptions<Ctx, InferAuthSession<Ctx["ports"]["auth"]>>,
-): ServerHook<Ctx, Ctx["ports"]>;
-export function createAuthHooks<Ctx, Session>(
-  options: AuthHooksOptions<Ctx, Session> & {
-    getSession: (args: AuthHookArgs<Ctx>) => MaybePromise<Session | null>;
-  },
-): ServerHook<Ctx>;
-export function createAuthHooks<Ctx, Session>(
-  options: AuthHooksOptions<Ctx, Session> = {},
-): ServerHook<Ctx> {
-  return {
-    name: options.name ?? "auth",
-    beforeHandle: async ({
-      req,
-      ctx,
-      contract,
-      path,
-      query,
-      headers,
-      body,
-    }) => {
-      const args: AuthHookArgs<Ctx> = {
-        req,
-        ctx,
-        contract,
-        path,
-        query,
+export function createAuthHooks<Ctx>() {
+  return <
+    AddedCtx extends object & { gate?: never },
+    HeadersSchema extends StandardSchema | undefined = undefined,
+  >(
+    options: AuthHooksOptions<Ctx, AddedCtx, HeadersSchema>,
+  ): AuthRouteHooks<Ctx, AddedCtx> => {
+    const name = options.name ?? "auth";
+    const toAuthArgs = (
+      args: Parameters<RouteHook<Ctx, object>["resolve"]>[0],
+      headers: unknown,
+    ): AuthHookArgs<Ctx, HeadersSchema> =>
+      ({
+        req: args.req,
+        ctx: args.ctx,
+        contract: args.contract,
+        path: args.path,
+        query: args.query,
         headers,
-        body,
-      };
-      const mode = modeFromInput(
-        options.mode ? await options.mode(args) : defaultMode(args),
-      );
-      if (mode === "public") {
-        return undefined;
-      }
-      const session = options.getSession
-        ? await options.getSession(args)
-        : ((await defaultGetSession(args)) as Session | null);
-      const isAuthenticated =
-        options.isAuthenticated?.(session) ?? defaultIsAuthenticated(session);
-      if (mode === "required" && !isAuthenticated) {
-        if (options.unauthorized) {
-          return {
-            ctx,
-            response: await options.unauthorized({ ...args, session }),
-          };
-        }
-        throw new AuthUnauthorizedError();
-      }
-      if (!options.assign) {
-        return undefined;
-      }
-      return {
-        ctx: await options.assign({ ...args, session }),
-      };
-    },
+        body: args.body,
+      }) as AuthHookArgs<Ctx, HeadersSchema>;
+    return {
+      public: () => ({
+        name: `${name}.public`,
+        resolve: () => undefined,
+      }),
+      optional: () => ({
+        name: `${name}.optional`,
+        resolve: async (args) => {
+          const parsed = await parseAuthHeaders(options.headers, args.req);
+          if (!parsed.ok) {
+            return undefined;
+          }
+          const additions = await options.resolve(
+            toAuthArgs(args, parsed.headers),
+          );
+          return additions ?? undefined;
+        },
+      }),
+      required: () => ({
+        name: `${name}.required`,
+        resolve: async (args) => {
+          const parsed = await parseAuthHeaders(options.headers, args.req);
+          if (!parsed.ok) {
+            throw new AuthUnauthorizedError();
+          }
+          const additions = await options.resolve(
+            toAuthArgs(args, parsed.headers),
+          );
+          if (!additions) {
+            throw new AuthUnauthorizedError();
+          }
+          return additions;
+        },
+      }),
+    };
   };
 }

package/src/server/hooks/cors.ts CHANGED Viewed

@@ -2,7 +2,7 @@
  * CORS hook utilities for @beignet/core/server
  */
-import type { HttpRequestLike, ServerHook } from "../types";
+import type { HttpRequestLike, ServerHook } from "../types.js";
 /**
  * CORS configuration for `createCorsHooks(...)`.

package/src/server/hooks/errors.ts CHANGED Viewed

@@ -2,14 +2,17 @@
  * Framework-agnostic error mapping utilities for @beignet/core/server
  */
-import { createErrorResponseBody, type ErrorResponseBody } from "../../errors";
-import type { AppEnvironment } from "../health";
-import { getRequestIdFromContext } from "./utils";
+import {
+  createErrorResponseBody,
+  type ErrorResponseBody,
+} from "../../errors/index.js";
+import type { AppEnvironment } from "../health.js";
+import { getRequestIdFromContext } from "./utils.js";
 /**
  * Re-export `AppEnvironment` for convenience.
  */
-export type { AppEnvironment } from "../health";
+export type { AppEnvironment } from "../health.js";
 /**
  * Framework-neutral response produced by an error mapper.