@beignet/core 0.0.3 → 0.0.4

package/dist/server/hooks/auth.js

@@ -1,50 +1,90 @@
-import { AuthUnauthorizedError } from "../../ports";
-function toAuthArgs(args) {
-    return {
-        req: args.req,
-        ctx: args.ctx,
-        contract: args.contract,
-        path: args.path,
-        query: args.query,
-        headers: args.headers,
-        body: args.body,
-    };
+import { AuthUnauthorizedError } from "../../ports/index.js";
+function rawRequestHeaders(req) {
+    const record = {};
+    req.headers.forEach((value, key) => {
+        record[key.toLowerCase()] = value;
+    });
+    return record;
+}
+async function parseAuthHeaders(schema, req) {
+    const raw = rawRequestHeaders(req);
+    if (!schema) {
+        return { ok: true, headers: raw };
+    }
+    const result = await schema["~standard"].validate(raw);
+    if (result.issues) {
+        return { ok: false };
+    }
+    return { ok: true, headers: result.value };
 }
 /**
  * Create route-scoped authentication hooks.
  *
+ * The outer call binds the app context; the inner call takes auth options and
+ * infers the added context from `resolve`:
+ *
+ * ```ts
+ * const auth = createAuthHooks<AppContext>()({
+ *   resolve: ({ ctx }) => (ctx.auth ? { user: ctx.auth.user } : null),
+ * });
+ * ```
+ *
  * Use `auth.required()` on routes that require an authenticated actor and
  * `auth.optional()` where handlers can use auth when present. The returned
  * route hooks enrich handler `ctx`; business authorization still belongs in
  * feature policies or use cases.
  *
- * @param options - Auth resolution callback and optional diagnostic name.
- * @returns Public, optional, and required route-hook factories.
+ * Declare a `headers` schema when credentials live in request headers. The
+ * hook validates the raw lowercase header record itself, so `resolve` receives
+ * typed headers without contract casts and a `required()` hook rejects
+ * missing or malformed credentials with a framework-owned 401.
+ *
+ * @returns A function that takes auth options and returns public, optional,
+ * and required route-hook factories.
  */
-export function createAuthHooks(options) {
-    const name = options.name ?? "auth";
-    return {
-        public: () => ({
-            name: `${name}.public`,
-            resolve: () => undefined,
-        }),
-        optional: () => ({
-            name: `${name}.optional`,
-            resolve: async (args) => {
-                const additions = await options.resolve(toAuthArgs(args));
-                return additions ?? undefined;
-            },
-        }),
-        required: () => ({
-            name: `${name}.required`,
-            resolve: async (args) => {
-                const additions = await options.resolve(toAuthArgs(args));
-                if (!additions) {
-                    throw new AuthUnauthorizedError();
-                }
-                return additions;
-            },
-        }),
+export function createAuthHooks() {
+    return (options) => {
+        const name = options.name ?? "auth";
+        const toAuthArgs = (args, headers) => ({
+            req: args.req,
+            ctx: args.ctx,
+            contract: args.contract,
+            path: args.path,
+            query: args.query,
+            headers,
+            body: args.body,
+        });
+        return {
+            public: () => ({
+                name: `${name}.public`,
+                resolve: () => undefined,
+            }),
+            optional: () => ({
+                name: `${name}.optional`,
+                resolve: async (args) => {
+                    const parsed = await parseAuthHeaders(options.headers, args.req);
+                    if (!parsed.ok) {
+                        return undefined;
+                    }
+                    const additions = await options.resolve(toAuthArgs(args, parsed.headers));
+                    return additions ?? undefined;
+                },
+            }),
+            required: () => ({
+                name: `${name}.required`,
+                resolve: async (args) => {
+                    const parsed = await parseAuthHeaders(options.headers, args.req);
+                    if (!parsed.ok) {
+                        throw new AuthUnauthorizedError();
+                    }
+                    const additions = await options.resolve(toAuthArgs(args, parsed.headers));
+                    if (!additions) {
+                        throw new AuthUnauthorizedError();
+                    }
+                    return additions;
+                },
+            }),
+        };
     };
 }
 //# sourceMappingURL=auth.js.map

package/dist/server/hooks/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/server/hooks/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AA4EpD,SAAS,UAAU,CACjB,IAAsD;IAEtD,OAAO;QACL,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,IAAI,EAAE,IAAI,CAAC,IAAI;KAChB,CAAC;AACJ,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,eAAe,CAC7B,OAAwC;IAExC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,MAAM,CAAC;IAEpC,OAAO;QACL,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YACb,IAAI,EAAE,GAAG,IAAI,SAAS;YACtB,OAAO,EAAE,GAAG,EAAE,CAAC,SAAS;SACzB,CAAC;QACF,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;YACf,IAAI,EAAE,GAAG,IAAI,WAAW;YACxB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBACtB,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;gBAE1D,OAAO,SAAS,IAAI,SAAS,CAAC;YAChC,CAAC;SACF,CAAC;QACF,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;YACf,IAAI,EAAE,GAAG,IAAI,WAAW;YACxB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBACtB,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;gBAC1D,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,MAAM,IAAI,qBAAqB,EAAE,CAAC;gBACpC,CAAC;gBAED,OAAO,SAAS,CAAC;YACnB,CAAC;SACF,CAAC;KACH,CAAC;AACJ,CAAC"}
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/server/hooks/auth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAyG7D,SAAS,iBAAiB,CAAC,GAAoB;IAC7C,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACjC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,GAAG,KAAK,CAAC;IACpC,CAAC,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAID,KAAK,UAAU,gBAAgB,CAC7B,MAAkC,EAClC,GAAoB;IAEpB,MAAM,GAAG,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IACpC,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACvD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;IACvB,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;AAC7C,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,CAIL,OAAuD,EACxB,EAAE;QACjC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,MAAM,CAAC;QAEpC,MAAM,UAAU,GAAG,CACjB,IAAsD,EACtD,OAAgB,EACkB,EAAE,CACpC,CAAC;YACC,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,IAAI;SAChB,CAAqC,CAAC;QAEzC,OAAO;YACL,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBACb,IAAI,EAAE,GAAG,IAAI,SAAS;gBACtB,OAAO,EAAE,GAAG,EAAE,CAAC,SAAS;aACzB,CAAC;YACF,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;gBACf,IAAI,EAAE,GAAG,IAAI,WAAW;gBACxB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;oBACtB,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;oBACjE,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;wBACf,OAAO,SAAS,CAAC;oBACnB,CAAC;oBAED,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,OAAO,CACrC,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,CACjC,CAAC;oBAEF,OAAO,SAAS,IAAI,SAAS,CAAC;gBAChC,CAAC;aACF,CAAC;YACF,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;gBACf,IAAI,EAAE,GAAG,IAAI,WAAW;gBACxB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;oBACtB,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;oBACjE,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;wBACf,MAAM,IAAI,qBAAqB,EAAE,CAAC;oBACpC,CAAC;oBAED,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,OAAO,CACrC,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,CACjC,CAAC;oBACF,IAAI,CAAC,SAAS,EAAE,CAAC;wBACf,MAAM,IAAI,qBAAqB,EAAE,CAAC;oBACpC,CAAC;oBAED,OAAO,SAAS,CAAC;gBACnB,CAAC;aACF,CAAC;SACH,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC"}

package/dist/server/hooks/cors.d.ts

@@ -1,7 +1,7 @@
 /**
  * CORS hook utilities for @beignet/core/server
  */
-import type { HttpRequestLike, ServerHook } from "../types";
+import type { HttpRequestLike, ServerHook } from "../types.js";
 /**
  * CORS configuration for `createCorsHooks(...)`.
  */

package/dist/server/hooks/cors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../../src/server/hooks/cors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAE5D;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IACzB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB;;OAEG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAmBD;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC/B,GAAG,EAAE,eAAe,EACpB,UAAU,EAAE,UAAU,GACrB,IAAI,CA4BN;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,CAsBxE"}
+{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../../src/server/hooks/cors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE/D;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IACzB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB;;OAEG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAmBD;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC/B,GAAG,EAAE,eAAe,EACpB,UAAU,EAAE,UAAU,GACrB,IAAI,CA4BN;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,CAsBxE"}

package/dist/server/hooks/errors.d.ts

@@ -1,11 +1,11 @@
 /**
  * Framework-agnostic error mapping utilities for @beignet/core/server
  */
-import type { AppEnvironment } from "../health";
+import type { AppEnvironment } from "../health.js";
 /**
  * Re-export `AppEnvironment` for convenience.
  */
-export type { AppEnvironment } from "../health";
+export type { AppEnvironment } from "../health.js";
 /**
  * Framework-neutral response produced by an error mapper.
  */

package/dist/server/hooks/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../src/server/hooks/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAGhD;;GAEG;AACH,YAAY,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEhD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,IAAI,EAAE,OAAO,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB,CAAC,GAAG;IACrC,oCAAoC;IACpC,kBAAkB,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,KAAK,kBAAkB,CAAC;IAEpE,6EAA6E;IAC7E,sBAAsB,CAAC,EAAE,OAAO,CAAC;IAEjC,+BAA+B;IAC/B,GAAG,CAAC,EAAE,cAAc,CAAC;CACtB;AA0BD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,wBAAgB,yBAAyB,CAAC,GAAG,EAC3C,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,GAAG,EACR,MAAM,EAAE,kBAAkB,CAAC,GAAG,CAAC,GAC9B,kBAAkB,CAwBpB"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../src/server/hooks/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAMH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGnD;;GAEG;AACH,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEnD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,IAAI,EAAE,OAAO,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB,CAAC,GAAG;IACrC,oCAAoC;IACpC,kBAAkB,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,KAAK,kBAAkB,CAAC;IAEpE,6EAA6E;IAC7E,sBAAsB,CAAC,EAAE,OAAO,CAAC;IAEjC,+BAA+B;IAC/B,GAAG,CAAC,EAAE,cAAc,CAAC;CACtB;AA0BD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,wBAAgB,yBAAyB,CAAC,GAAG,EAC3C,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,GAAG,EACR,MAAM,EAAE,kBAAkB,CAAC,GAAG,CAAC,GAC9B,kBAAkB,CAwBpB"}

package/dist/server/hooks/errors.js

@@ -1,8 +1,8 @@
 /**
  * Framework-agnostic error mapping utilities for @beignet/core/server
  */
-import { createErrorResponseBody } from "../../errors";
-import { getRequestIdFromContext } from "./utils";
+import { createErrorResponseBody, } from "../../errors/index.js";
+import { getRequestIdFromContext } from "./utils.js";
 /**
  * Create default error response body
  */

package/dist/server/hooks/errors.js.map

@@ -1 +1 @@
-{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../../src/server/hooks/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,uBAAuB,EAA0B,MAAM,cAAc,CAAC;AAE/E,OAAO,EAAE,uBAAuB,EAAE,MAAM,SAAS,CAAC;AAuClD;;GAEG;AACH,SAAS,sBAAsB,CAC7B,GAAY,EACZ,YAAqB,EACrB,SAAkB;IAElB,OAAO,uBAAuB,CAAC;QAC7B,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,uBAAuB;QAChC,SAAS;QACT,OAAO,EACL,YAAY,IAAI,GAAG,YAAY,KAAK;YAClC,CAAC,CAAC;gBACE,KAAK,EAAE;oBACL,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,KAAK,EAAE,GAAG,CAAC,KAAK;iBACjB;aACF;YACH,CAAC,CAAC,SAAS;KAChB,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,MAAM,UAAU,yBAAyB,CACvC,GAAY,EACZ,GAAQ,EACR,MAA+B;IAE/B,6CAA6C;IAC7C,IAAI,MAAM,CAAC,kBAAkB,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,OAAO,MAAM,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,+CAA+C;QACjD,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,MAAM,YAAY,GAChB,MAAM,CAAC,sBAAsB;QAC7B,CAAC,MAAM,CAAC,GAAG,KAAK,aAAa,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,CAAC,CAAC;IAE1D,yBAAyB;IACzB,MAAM,SAAS,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,sBAAsB,CAAC,GAAG,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;IAElE,OAAO;QACL,MAAM,EAAE,GAAG;QACX,IAAI;QACJ,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC;AACJ,CAAC"}
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../../src/server/hooks/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,uBAAuB,GAExB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;AAuCrD;;GAEG;AACH,SAAS,sBAAsB,CAC7B,GAAY,EACZ,YAAqB,EACrB,SAAkB;IAElB,OAAO,uBAAuB,CAAC;QAC7B,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,uBAAuB;QAChC,SAAS;QACT,OAAO,EACL,YAAY,IAAI,GAAG,YAAY,KAAK;YAClC,CAAC,CAAC;gBACE,KAAK,EAAE;oBACL,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,KAAK,EAAE,GAAG,CAAC,KAAK;iBACjB;aACF;YACH,CAAC,CAAC,SAAS;KAChB,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,MAAM,UAAU,yBAAyB,CACvC,GAAY,EACZ,GAAQ,EACR,MAA+B;IAE/B,6CAA6C;IAC7C,IAAI,MAAM,CAAC,kBAAkB,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,OAAO,MAAM,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,+CAA+C;QACjD,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,MAAM,YAAY,GAChB,MAAM,CAAC,sBAAsB;QAC7B,CAAC,MAAM,CAAC,GAAG,KAAK,aAAa,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,CAAC,CAAC;IAE1D,yBAAyB;IACzB,MAAM,SAAS,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,sBAAsB,CAAC,GAAG,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;IAElE,OAAO;QACL,MAAM,EAAE,GAAG;QACX,IAAI;QACJ,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC;AACJ,CAAC"}

package/dist/server/hooks/idempotency.d.ts

@@ -0,0 +1,78 @@
+/**
+ * Idempotency hooks for @beignet/core/server
+ */
+import { type IdempotencyMeta, type IdempotencyPort, type IdempotencyScope } from "../../idempotency/index.js";
+import type { ActivityActor, ActivityTenant } from "../../ports/index.js";
+import type { HttpRequestLike, ServerHook } from "../types.js";
+/**
+ * Ports required by idempotency hooks.
+ */
+export type IdempotencyPorts = {
+    idempotency: IdempotencyPort;
+};
+/**
+ * Minimal context shape required for actor- and tenant-scoped idempotency.
+ */
+export type CtxWithIdempotency = {
+    ports: IdempotencyPorts;
+    actor?: ActivityActor;
+    tenant?: ActivityTenant;
+};
+/**
+ * Options for `createIdempotencyHooks(...)`.
+ */
+export interface IdempotencyHooksOptions<Ctx> {
+    /**
+     * Build the idempotency namespace for a contract.
+     *
+     * Defaults to `http.<contract name>` so HTTP reservations never collide with
+     * use-case `runIdempotently(...)` namespaces.
+     */
+    namespace?: (args: {
+        contract: {
+            name: string;
+        };
+    }) => string;
+    /**
+     * Build the idempotency scope after context exists.
+     *
+     * Defaults to a scope derived from `meta.scope`: `"global"` stays global,
+     * `"actor"` scopes by `ctx.actor?.id`, `"tenant"` scopes by `ctx.tenant?.id`,
+     * and `"actor-tenant"` scopes by both.
+     */
+    scope?: (args: {
+        ctx: Ctx;
+        req: HttpRequestLike;
+        meta: IdempotencyMeta;
+    }) => IdempotencyScope;
+    /**
+     * Build the fingerprint input from the parsed request.
+     *
+     * Defaults to `{ path, query, body }`.
+     */
+    fingerprintInput?: (args: {
+        path: unknown;
+        query: unknown;
+        body: unknown;
+    }) => unknown;
+}
+/**
+ * Create metadata-driven idempotency hooks.
+ *
+ * The hook reads `contract.metadata.idempotency` and enforces it with
+ * `ctx.ports.idempotency`. In `beforeHandle` it reserves the client key after
+ * request parsing, replays completed matching responses with an
+ * `idempotency-replayed: true` header, and rejects in-progress or conflicting
+ * keys with the framework `IdempotencyInProgress`/`IdempotencyConflict` catalog
+ * errors. In `beforeSend` it stores 2xx framework-neutral responses for replay
+ * and releases the reservation for errors, non-2xx responses, and native
+ * `Response` results, which are not replayable.
+ *
+ * Use `runIdempotently(...)` from `@beignet/core/idempotency` for non-HTTP
+ * workflows such as jobs, listeners, webhooks, and schedules.
+ *
+ * @param options - Optional namespace, scope, and fingerprint-input builders.
+ * @returns A server hook backed by `ctx.ports.idempotency`.
+ */
+export declare function createIdempotencyHooks<Ctx extends CtxWithIdempotency>(options?: IdempotencyHooksOptions<Ctx>): ServerHook<Ctx, IdempotencyPorts>;
+//# sourceMappingURL=idempotency.d.ts.map

package/dist/server/hooks/idempotency.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"idempotency.d.ts","sourceRoot":"","sources":["../../../src/server/hooks/idempotency.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAIL,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACtB,MAAM,4BAA4B,CAAC;AACpC,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC1E,OAAO,KAAK,EACV,eAAe,EAEf,UAAU,EACX,MAAM,aAAa,CAAC;AAErB;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,WAAW,EAAE,eAAe,CAAC;CAC9B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,KAAK,EAAE,gBAAgB,CAAC;IACxB,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,MAAM,CAAC,EAAE,cAAc,CAAC;CACzB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,uBAAuB,CAAC,GAAG;IAC1C;;;;;OAKG;IACH,SAAS,CAAC,EAAE,CAAC,IAAI,EAAE;QAAE,QAAQ,EAAE;YAAE,IAAI,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,KAAK,MAAM,CAAC;IAC7D;;;;;;OAMG;IACH,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE;QACb,GAAG,EAAE,GAAG,CAAC;QACT,GAAG,EAAE,eAAe,CAAC;QACrB,IAAI,EAAE,eAAe,CAAC;KACvB,KAAK,gBAAgB,CAAC;IACvB;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,CAAC,IAAI,EAAE;QACxB,IAAI,EAAE,OAAO,CAAC;QACd,KAAK,EAAE,OAAO,CAAC;QACf,IAAI,EAAE,OAAO,CAAC;KACf,KAAK,OAAO,CAAC;CACf;AAmDD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,SAAS,kBAAkB,EACnE,OAAO,GAAE,uBAAuB,CAAC,GAAG,CAAM,GACzC,UAAU,CAAC,GAAG,EAAE,gBAAgB,CAAC,CA0HnC"}

package/dist/server/hooks/idempotency.js

@@ -0,0 +1,154 @@
+/**
+ * Idempotency hooks for @beignet/core/server
+ */
+import { AppError, httpErrors } from "../../errors/index.js";
+import { createIdempotencyFingerprint, IdempotencyConflictError, IdempotencyInProgressError, } from "../../idempotency/index.js";
+/**
+ * Header set on replayed responses.
+ */
+const IDEMPOTENCY_REPLAYED_HEADER = "idempotency-replayed";
+function defaultIdempotencyScope(ctx, meta) {
+    const mode = meta.scope ?? "global";
+    switch (mode) {
+        case "global":
+            return "global";
+        case "actor":
+            return { actorId: ctx.actor?.id };
+        case "tenant":
+            return { tenantId: ctx.tenant?.id };
+        case "actor-tenant":
+            return { actorId: ctx.actor?.id, tenantId: ctx.tenant?.id };
+    }
+}
+function isReplayableHttpResponse(value) {
+    if (typeof value !== "object" || value === null)
+        return false;
+    const candidate = value;
+    if (typeof candidate.status !== "number")
+        return false;
+    if (candidate.headers !== undefined &&
+        (typeof candidate.headers !== "object" ||
+            candidate.headers === null ||
+            Array.isArray(candidate.headers))) {
+        return false;
+    }
+    return true;
+}
+/**
+ * Create metadata-driven idempotency hooks.
+ *
+ * The hook reads `contract.metadata.idempotency` and enforces it with
+ * `ctx.ports.idempotency`. In `beforeHandle` it reserves the client key after
+ * request parsing, replays completed matching responses with an
+ * `idempotency-replayed: true` header, and rejects in-progress or conflicting
+ * keys with the framework `IdempotencyInProgress`/`IdempotencyConflict` catalog
+ * errors. In `beforeSend` it stores 2xx framework-neutral responses for replay
+ * and releases the reservation for errors, non-2xx responses, and native
+ * `Response` results, which are not replayable.
+ *
+ * Use `runIdempotently(...)` from `@beignet/core/idempotency` for non-HTTP
+ * workflows such as jobs, listeners, webhooks, and schedules.
+ *
+ * @param options - Optional namespace, scope, and fingerprint-input builders.
+ * @returns A server hook backed by `ctx.ports.idempotency`.
+ */
+export function createIdempotencyHooks(options = {}) {
+    const pending = new WeakMap();
+    return {
+        name: "idempotency",
+        beforeHandle: async ({ ctx, contract, req, path, query, body }) => {
+            const meta = contract.metadata?.idempotency;
+            if (!meta) {
+                return undefined;
+            }
+            const header = (meta.header ?? "idempotency-key").toLowerCase();
+            const key = req.headers.get(header);
+            if (!key) {
+                if (meta.required) {
+                    throw new AppError(httpErrors.BadRequest, {
+                        contract: contract.name,
+                        header,
+                    }, `Missing required idempotency key header "${header}"`);
+                }
+                return undefined;
+            }
+            const namespace = options.namespace?.({ contract: { name: contract.name } }) ??
+                `http.${contract.name}`;
+            const scope = options.scope?.({ ctx, req, meta }) ??
+                defaultIdempotencyScope(ctx, meta);
+            const fingerprint = await createIdempotencyFingerprint(options.fingerprintInput?.({ path, query, body }) ?? {
+                path,
+                query,
+                body,
+            });
+            const reservation = await ctx.ports.idempotency.reserve({
+                namespace,
+                key,
+                scope,
+                fingerprint,
+                ttlSec: meta.ttlSec,
+            });
+            switch (reservation.status) {
+                case "replay": {
+                    if (!isReplayableHttpResponse(reservation.result)) {
+                        throw new AppError(httpErrors.InternalServerError, { namespace, key }, `Stored idempotency result for "${namespace}" key "${key}" is not a replayable HTTP response`);
+                    }
+                    return {
+                        status: reservation.result.status,
+                        headers: {
+                            ...(reservation.result.headers ?? {}),
+                            [IDEMPOTENCY_REPLAYED_HEADER]: "true",
+                        },
+                        body: reservation.result.body,
+                    };
+                }
+                case "inProgress": {
+                    throw new IdempotencyInProgressError(reservation);
+                }
+                case "conflict": {
+                    throw new IdempotencyConflictError(reservation);
+                }
+                case "reserved": {
+                    pending.set(req, {
+                        port: ctx.ports.idempotency,
+                        namespace,
+                        key,
+                        scope,
+                        fingerprint,
+                    });
+                    return undefined;
+                }
+            }
+        },
+        beforeSend: async ({ req, response, error, native }) => {
+            const reservation = pending.get(req);
+            if (!reservation) {
+                return undefined;
+            }
+            pending.delete(req);
+            const { port, namespace, key, scope, fingerprint } = reservation;
+            if (!native &&
+                !error &&
+                response.status >= 200 &&
+                response.status < 300) {
+                await port.complete({
+                    namespace,
+                    key,
+                    scope,
+                    fingerprint,
+                    result: {
+                        status: response.status,
+                        headers: response.headers,
+                        body: response.body,
+                    },
+                });
+                return undefined;
+            }
+            // Errors, non-2xx responses, and native `Response` results release the
+            // reservation. Streams are not replayable.
+            await port.fail({ namespace, key, scope, fingerprint, error });
+            return undefined;
+        },
+    };
+}
+//# sourceMappingURL=idempotency.js.map

package/dist/server/hooks/idempotency.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"idempotency.js","sourceRoot":"","sources":["../../../src/server/hooks/idempotency.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,EACL,4BAA4B,EAC5B,wBAAwB,EACxB,0BAA0B,GAI3B,MAAM,4BAA4B,CAAC;AA2DpC;;GAEG;AACH,MAAM,2BAA2B,GAAG,sBAAsB,CAAC;AAU3D,SAAS,uBAAuB,CAC9B,GAAuB,EACvB,IAAqB;IAErB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,IAAI,QAAQ,CAAC;IAEpC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB,KAAK,OAAO;YACV,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,CAAC;QACpC,KAAK,QAAQ;YACX,OAAO,EAAE,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,EAAE,EAAE,CAAC;QACtC,KAAK,cAAc;YACjB,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,EAAE,EAAE,CAAC;IAChE,CAAC;AACH,CAAC;AAED,SAAS,wBAAwB,CAAC,KAAc;IAC9C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAE9D,MAAM,SAAS,GAAG,KAAgD,CAAC;IACnE,IAAI,OAAO,SAAS,CAAC,MAAM,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAEvD,IACE,SAAS,CAAC,OAAO,KAAK,SAAS;QAC/B,CAAC,OAAO,SAAS,CAAC,OAAO,KAAK,QAAQ;YACpC,SAAS,CAAC,OAAO,KAAK,IAAI;YAC1B,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,EACnC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,sBAAsB,CACpC,UAAwC,EAAE;IAE1C,MAAM,OAAO,GAAG,IAAI,OAAO,EAAuC,CAAC;IAEnE,OAAO;QACL,IAAI,EAAE,aAAa;QACnB,YAAY,EAAE,KAAK,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE;YAChE,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC;YAC5C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,iBAAiB,CAAC,CAAC,WAAW,EAAE,CAAC;YAChE,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAEpC,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;oBAClB,MAAM,IAAI,QAAQ,CAChB,UAAU,CAAC,UAAU,EACrB;wBACE,QAAQ,EAAE,QAAQ,CAAC,IAAI;wBACvB,MAAM;qBACP,EACD,4CAA4C,MAAM,GAAG,CACtD,CAAC;gBACJ,CAAC;gBACD,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,MAAM,SAAS,GACb,OAAO,CAAC,SAAS,EAAE,CAAC,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC;gBAC1D,QAAQ,QAAQ,CAAC,IAAI,EAAE,CAAC;YAC1B,MAAM,KAAK,GACT,OAAO,CAAC,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;gBACnC,uBAAuB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YACrC,MAAM,WAAW,GAAG,MAAM,4BAA4B,CACpD,OAAO,CAAC,gBAAgB,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,IAAI;gBACnD,IAAI;gBACJ,KAAK;gBACL,IAAI;aACL,CACF,CAAC;YAEF,MAAM,WAAW,GAAG,MAAM,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC;gBACtD,SAAS;gBACT,GAAG;gBACH,KAAK;gBACL,WAAW;gBACX,MAAM,EAAE,IAAI,CAAC,MAAM;aACpB,CAAC,CAAC;YAEH,QAAQ,WAAW,CAAC,MAAM,EAAE,CAAC;gBAC3B,KAAK,QAAQ,CAAC,CAAC,CAAC;oBACd,IAAI,CAAC,wBAAwB,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC;wBAClD,MAAM,IAAI,QAAQ,CAChB,UAAU,CAAC,mBAAmB,EAC9B,EAAE,SAAS,EAAE,GAAG,EAAE,EAClB,kCAAkC,SAAS,UAAU,GAAG,qCAAqC,CAC9F,CAAC;oBACJ,CAAC;oBAED,OAAO;wBACL,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,MAAM;wBACjC,OAAO,EAAE;4BACP,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;4BACrC,CAAC,2BAA2B,CAAC,EAAE,MAAM;yBACtC;wBACD,IAAI,EAAE,WAAW,CAAC,MAAM,CAAC,IAAI;qBAC9B,CAAC;gBACJ,CAAC;gBACD,KAAK,YAAY,CAAC,CAAC,CAAC;oBAClB,MAAM,IAAI,0BAA0B,CAAC,WAAW,CAAC,CAAC;gBACpD,CAAC;gBACD,KAAK,UAAU,CAAC,CAAC,CAAC;oBAChB,MAAM,IAAI,wBAAwB,CAAC,WAAW,CAAC,CAAC;gBAClD,CAAC;gBACD,KAAK,UAAU,CAAC,CAAC,CAAC;oBAChB,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE;wBACf,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,WAAW;wBAC3B,SAAS;wBACT,GAAG;wBACH,KAAK;wBACL,WAAW;qBACZ,CAAC,CAAC;oBACH,OAAO,SAAS,CAAC;gBACnB,CAAC;YACH,CAAC;QACH,CAAC;QACD,UAAU,EAAE,KAAK,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE;YACrD,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACrC,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAEpB,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,WAAW,CAAC;YAEjE,IACE,CAAC,MAAM;gBACP,CAAC,KAAK;gBACN,QAAQ,CAAC,MAAM,IAAI,GAAG;gBACtB,QAAQ,CAAC,MAAM,GAAG,GAAG,EACrB,CAAC;gBACD,MAAM,IAAI,CAAC,QAAQ,CAAC;oBAClB,SAAS;oBACT,GAAG;oBACH,KAAK;oBACL,WAAW;oBACX,MAAM,EAAE;wBACN,MAAM,EAAE,QAAQ,CAAC,MAAM;wBACvB,OAAO,EAAE,QAAQ,CAAC,OAAO;wBACzB,IAAI,EAAE,QAAQ,CAAC,IAAI;qBACpB;iBACF,CAAC,CAAC;gBACH,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,uEAAuE;YACvE,2CAA2C;YAC3C,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,CAAC;YAC/D,OAAO,SAAS,CAAC;QACnB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/server/hooks/index.d.ts

@@ -1,13 +1,14 @@
 /**
  * Hook utilities for @beignet/core/server
  */
-import type { AnyPorts } from "../../ports";
-import type { ServerHook } from "../http";
-export { type AuthHookArgs, type AuthHooksOptions, type AuthRouteHooks, createAuthHooks, } from "./auth";
-export { applyCorsHeaders, type CorsConfig, createCorsHooks, } from "./cors";
-export { defaultMapErrorToResponse, type ErrorMappingConfig, type ErrorMappingResult, } from "./errors";
-export { createLoggingHooks, type Logger, type LoggingConfig, } from "./logging";
-export { type CtxWithRateLimit, createRateLimitHooks, type RateLimitOptions, } from "./rate-limit";
+import type { AnyPorts } from "../../ports/index.js";
+import type { ServerHook } from "../http.js";
+export { type AuthHookArgs, type AuthHooksOptions, type AuthRouteHooks, createAuthHooks, } from "./auth.js";
+export { applyCorsHeaders, type CorsConfig, createCorsHooks, } from "./cors.js";
+export { defaultMapErrorToResponse, type ErrorMappingConfig, type ErrorMappingResult, } from "./errors.js";
+export { type CtxWithIdempotency, createIdempotencyHooks, type IdempotencyHooksOptions, type IdempotencyPorts, } from "./idempotency.js";
+export { createLoggingHooks, type Logger, type LoggingConfig, } from "./logging.js";
+export { type CtxWithRateLimit, createRateLimitHooks, type RateLimitIpSource, type RateLimitOptions, } from "./rate-limit.js";
 /**
  * Flatten hook arrays into a single hook list.
  */

package/dist/server/hooks/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/hooks/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAE1C,OAAO,EACL,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,eAAe,GAChB,MAAM,QAAQ,CAAC;AAChB,OAAO,EACL,gBAAgB,EAChB,KAAK,UAAU,EACf,eAAe,GAChB,MAAM,QAAQ,CAAC;AAChB,OAAO,EACL,yBAAyB,EACzB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,GACxB,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,kBAAkB,EAClB,KAAK,MAAM,EACX,KAAK,aAAa,GACnB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,KAAK,gBAAgB,EACrB,oBAAoB,EACpB,KAAK,gBAAgB,GACtB,MAAM,cAAc,CAAC;AAEtB;;GAEG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,KAAK,SAAS,QAAQ,GAAG,QAAQ,EACjE,GAAG,KAAK,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,GAAG,SAAS,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC,EAAE,GACvE,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,CAE1B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/hooks/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,OAAO,EACL,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,eAAe,GAChB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,gBAAgB,EAChB,KAAK,UAAU,EACf,eAAe,GAChB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,yBAAyB,EACzB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,GACxB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,KAAK,kBAAkB,EACvB,sBAAsB,EACtB,KAAK,uBAAuB,EAC5B,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,kBAAkB,EAClB,KAAK,MAAM,EACX,KAAK,aAAa,GACnB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,KAAK,gBAAgB,EACrB,oBAAoB,EACpB,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,GACtB,MAAM,iBAAiB,CAAC;AAEzB;;GAEG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,KAAK,SAAS,QAAQ,GAAG,QAAQ,EACjE,GAAG,KAAK,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,GAAG,SAAS,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC,EAAE,GACvE,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,CAE1B"}

package/dist/server/hooks/index.js

@@ -1,11 +1,12 @@
 /**
  * Hook utilities for @beignet/core/server
  */
-export { createAuthHooks, } from "./auth";
-export { applyCorsHeaders, createCorsHooks, } from "./cors";
-export { defaultMapErrorToResponse, } from "./errors";
-export { createLoggingHooks, } from "./logging";
-export { createRateLimitHooks, } from "./rate-limit";
+export { createAuthHooks, } from "./auth.js";
+export { applyCorsHeaders, createCorsHooks, } from "./cors.js";
+export { defaultMapErrorToResponse, } from "./errors.js";
+export { createIdempotencyHooks, } from "./idempotency.js";
+export { createLoggingHooks, } from "./logging.js";
+export { createRateLimitHooks, } from "./rate-limit.js";
 /**
  * Flatten hook arrays into a single hook list.
  */

package/dist/server/hooks/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/hooks/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,EAIL,eAAe,GAChB,MAAM,QAAQ,CAAC;AAChB,OAAO,EACL,gBAAgB,EAEhB,eAAe,GAChB,MAAM,QAAQ,CAAC;AAChB,OAAO,EACL,yBAAyB,GAG1B,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,kBAAkB,GAGnB,MAAM,WAAW,CAAC;AACnB,OAAO,EAEL,oBAAoB,GAErB,MAAM,cAAc,CAAC;AAEtB;;GAEG;AACH,MAAM,UAAU,YAAY,CAC1B,GAAG,KAAqE;IAExE,OAAO,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACxE,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/hooks/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,EAIL,eAAe,GAChB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,gBAAgB,EAEhB,eAAe,GAChB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,yBAAyB,GAG1B,MAAM,aAAa,CAAC;AACrB,OAAO,EAEL,sBAAsB,GAGvB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,kBAAkB,GAGnB,MAAM,cAAc,CAAC;AACtB,OAAO,EAEL,oBAAoB,GAGrB,MAAM,iBAAiB,CAAC;AAEzB;;GAEG;AACH,MAAM,UAAU,YAAY,CAC1B,GAAG,KAAqE;IAExE,OAAO,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACxE,CAAC"}

package/dist/server/hooks/logging.d.ts

@@ -1,8 +1,8 @@
 /**
  * Logging hook utilities for @beignet/core/server
  */
-import type { HttpContractConfig } from "../../contracts";
-import type { HttpRequestLike, ServerHook } from "../types";
+import type { HttpContractConfig } from "../../contracts/index.js";
+import type { HttpRequestLike, ServerHook } from "../types.js";
 /**
  * Minimal logger shape accepted by `createLoggingHooks(...)`.
  */

package/dist/server/hooks/logging.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"logging.d.ts","sourceRoot":"","sources":["../../../src/server/hooks/logging.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAG5D;;GAEG;AACH,MAAM,WAAW,MAAM;IACrB;;OAEG;IACH,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;IACnC;;OAEG;IACH,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;IACpC;;OAEG;IACH,IAAI,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;IACpC;;OAEG;IACH,KAAK,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;CACtC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa,CAAC,GAAG;IAChC;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;OAEG;IACH,cAAc,CAAC,EAAE,CAAC,IAAI,EAAE;QACtB,GAAG,CAAC,EAAE,GAAG,CAAC;QACV,GAAG,EAAE,eAAe,CAAC;QACrB,QAAQ,CAAC,EAAE,kBAAkB,CAAC;KAC/B,KAAK,IAAI,CAAC;IACX;;OAEG;IACH,YAAY,CAAC,EAAE,CAAC,IAAI,EAAE;QACpB,GAAG,CAAC,EAAE,GAAG,CAAC;QACV,GAAG,EAAE,eAAe,CAAC;QACrB,GAAG,EAAE;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;SAAE,CAAC;QACzD,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,kBAAkB,CAAC;QAC9B,KAAK,CAAC,EAAE,OAAO,CAAC;KACjB,KAAK,IAAI,CAAC;CACZ;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EACpC,MAAM,EAAE,aAAa,CAAC,GAAG,CAAC,GACzB,UAAU,CAAC,GAAG,CAAC,CAqFjB"}
+{"version":3,"file":"logging.d.ts","sourceRoot":"","sources":["../../../src/server/hooks/logging.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAG/D;;GAEG;AACH,MAAM,WAAW,MAAM;IACrB;;OAEG;IACH,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;IACnC;;OAEG;IACH,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;IACpC;;OAEG;IACH,IAAI,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;IACpC;;OAEG;IACH,KAAK,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;CACtC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa,CAAC,GAAG;IAChC;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;OAEG;IACH,cAAc,CAAC,EAAE,CAAC,IAAI,EAAE;QACtB,GAAG,CAAC,EAAE,GAAG,CAAC;QACV,GAAG,EAAE,eAAe,CAAC;QACrB,QAAQ,CAAC,EAAE,kBAAkB,CAAC;KAC/B,KAAK,IAAI,CAAC;IACX;;OAEG;IACH,YAAY,CAAC,EAAE,CAAC,IAAI,EAAE;QACpB,GAAG,CAAC,EAAE,GAAG,CAAC;QACV,GAAG,EAAE,eAAe,CAAC;QACrB,GAAG,EAAE;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;SAAE,CAAC;QACzD,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,kBAAkB,CAAC;QAC9B,KAAK,CAAC,EAAE,OAAO,CAAC;KACjB,KAAK,IAAI,CAAC;CACZ;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EACpC,MAAM,EAAE,aAAa,CAAC,GAAG,CAAC,GACzB,UAAU,CAAC,GAAG,CAAC,CAqFjB"}

package/dist/server/hooks/logging.js

@@ -1,7 +1,7 @@
 /**
  * Logging hook utilities for @beignet/core/server
  */
-import { getRequestIdFromContext } from "./utils";
+import { getRequestIdFromContext } from "./utils.js";
 /**
  * Create request logging hooks.
  *

package/dist/server/hooks/logging.js.map

@@ -1 +1 @@
-{"version":3,"file":"logging.js","sourceRoot":"","sources":["../../../src/server/hooks/logging.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,EAAE,uBAAuB,EAAE,MAAM,SAAS,CAAC;AAyDlD;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAChC,MAA0B;IAE1B,MAAM,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;IAE/C,OAAO;QACL,IAAI,EAAE,SAAS;QACf,SAAS,EAAE,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC/B,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;gBAC1B,IAAI,CAAC;oBACH,MAAM,CAAC,cAAc,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC,CAAC;gBAC3D,CAAC;gBAAC,MAAM,CAAC;oBACP,wBAAwB;gBAC1B,CAAC;gBACD,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,MAAM;gBAAE,OAAO,SAAS,CAAC;YACrC,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC7B,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,QAAQ,EAAE,EACzC,eAAe,CAChB,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,GAAG,CAAC,eAAe;YACjB,CAAC,CAAC;gBACE,UAAU,EAAE,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,EAAE,EAAE;oBAChC,MAAM,SAAS,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC;oBAC/C,IAAI,CAAC,SAAS,EAAE,CAAC;wBACf,OAAO,QAAQ,CAAC;oBAClB,CAAC;oBAED,OAAO;wBACL,GAAG,QAAQ;wBACX,OAAO,EAAE;4BACP,GAAG,CAAC,QAAQ,CAAC,OAAO,IAAI,EAAE,CAAC;4BAC3B,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC,SAAS,CAAC;yBACrC;qBACF,CAAC;gBACJ,CAAC;aACF;YACH,CAAC,CAAC,EAAE,CAAC;QACP,SAAS,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE,EAAE;YACjE,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,IAAI,EAAE,CAAC;YACvC,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;gBACxB,IAAI,CAAC;oBACH,MAAM,CAAC,YAAY,CAAC;wBAClB,GAAG;wBACH,GAAG;wBACH,GAAG,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE;wBACzC,UAAU;wBACV,QAAQ;wBACR,KAAK;qBACN,CAAC,CAAC;gBACL,CAAC;gBAAC,MAAM,CAAC;oBACP,wBAAwB;gBAC1B,CAAC;gBACD,OAAO;YACT,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,MAAM;gBAAE,OAAO;YAC3B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC7B,MAAM,SAAS,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC;gBAC/C,MAAM,OAAO,GAAG;oBACd,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,GAAG,EAAE,GAAG,CAAC,QAAQ;oBACjB,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;oBAClC,GAAG,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACjD,GAAG,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC1C,CAAC;gBACF,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;oBACxB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,6BAA6B,CAAC,CAAC;oBAC5D,OAAO;gBACT,CAAC;gBACD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;YAClD,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"logging.js","sourceRoot":"","sources":["../../../src/server/hooks/logging.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;AAyDrD;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAChC,MAA0B;IAE1B,MAAM,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;IAE/C,OAAO;QACL,IAAI,EAAE,SAAS;QACf,SAAS,EAAE,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC/B,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;gBAC1B,IAAI,CAAC;oBACH,MAAM,CAAC,cAAc,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC,CAAC;gBAC3D,CAAC;gBAAC,MAAM,CAAC;oBACP,wBAAwB;gBAC1B,CAAC;gBACD,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,MAAM;gBAAE,OAAO,SAAS,CAAC;YACrC,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC7B,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,QAAQ,EAAE,EACzC,eAAe,CAChB,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,GAAG,CAAC,eAAe;YACjB,CAAC,CAAC;gBACE,UAAU,EAAE,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,EAAE,EAAE;oBAChC,MAAM,SAAS,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC;oBAC/C,IAAI,CAAC,SAAS,EAAE,CAAC;wBACf,OAAO,QAAQ,CAAC;oBAClB,CAAC;oBAED,OAAO;wBACL,GAAG,QAAQ;wBACX,OAAO,EAAE;4BACP,GAAG,CAAC,QAAQ,CAAC,OAAO,IAAI,EAAE,CAAC;4BAC3B,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC,SAAS,CAAC;yBACrC;qBACF,CAAC;gBACJ,CAAC;aACF;YACH,CAAC,CAAC,EAAE,CAAC;QACP,SAAS,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE,EAAE;YACjE,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,IAAI,EAAE,CAAC;YACvC,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;gBACxB,IAAI,CAAC;oBACH,MAAM,CAAC,YAAY,CAAC;wBAClB,GAAG;wBACH,GAAG;wBACH,GAAG,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE;wBACzC,UAAU;wBACV,QAAQ;wBACR,KAAK;qBACN,CAAC,CAAC;gBACL,CAAC;gBAAC,MAAM,CAAC;oBACP,wBAAwB;gBAC1B,CAAC;gBACD,OAAO;YACT,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,MAAM;gBAAE,OAAO;YAC3B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC7B,MAAM,SAAS,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC;gBAC/C,MAAM,OAAO,GAAG;oBACd,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,GAAG,EAAE,GAAG,CAAC,QAAQ;oBACjB,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;oBAClC,GAAG,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACjD,GAAG,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC1C,CAAC;gBACF,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;oBACxB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,6BAA6B,CAAC,CAAC;oBAC5D,OAAO;gBACT,CAAC;gBACD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;YAClD,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/server/hooks/rate-limit.d.ts

@@ -1,9 +1,9 @@
 /**
  * Rate limit hooks for @beignet/core/server
  */
-import type { RateLimitScope } from "../../contracts";
-import type { ActivityActor, RateLimitPort } from "../../ports";
-import type { HttpRequestLike, ServerHook } from "../types";
+import type { RateLimitScope } from "../../contracts/index.js";
+import type { ActivityActor, RateLimitPort } from "../../ports/index.js";
+import type { HttpRequestLike, ServerHook } from "../types.js";
 /**
  * Ports required by rate-limit hooks.
  */
@@ -18,6 +18,19 @@ export type CtxWithRateLimit = {
     actor?: ActivityActor;
 };
 type EarlyRateLimitScope = Exclude<RateLimitScope, "user">;
+/**
+ * Strategy for resolving the client IP used by `ip`-scoped limits.
+ *
+ * - `"x-forwarded-for-last"` (default): the last `x-forwarded-for` entry.
+ *   This is the address appended by the platform's trusted reverse proxy and
+ *   cannot be chosen by the client.
+ * - `"x-forwarded-for-first"`: the first `x-forwarded-for` entry. This value
+ *   is client-controlled, so only use it when a trusted edge normalizes the
+ *   header before it reaches the app.
+ * - A function receives the raw request and returns the client IP, for
+ *   platform-specific headers such as `cf-connecting-ip`.
+ */
+export type RateLimitIpSource = "x-forwarded-for-last" | "x-forwarded-for-first" | ((req: HttpRequestLike) => string | undefined);
 /**
  * Options for `createRateLimitHooks(...)`.
  */
@@ -42,9 +55,12 @@ export interface RateLimitOptions<Ctx> {
         scope: EarlyRateLimitScope;
     }) => string;
     /**
-     * Resolve a client IP from the raw request.
+     * Resolve the client IP for `ip`-scoped limits.
+     *
+     * Defaults to `"x-forwarded-for-last"`, the entry appended by the
+     * platform's trusted proxy. Pass a function for platform-specific headers.
      */
-    getClientIp?: (req: HttpRequestLike) => string | undefined;
+    ipSource?: RateLimitIpSource;
 }
 /**
  * Create metadata-driven rate-limit hooks.
@@ -52,9 +68,11 @@ export interface RateLimitOptions<Ctx> {
  * The hook reads `contract.metadata.rateLimit`. Global and IP-scoped limits run
  * in `onRequest` before context creation; user-scoped limits run in
  * `beforeHandle` after `ctx.actor` is available. Exceeded limits throw the
- * framework `TooManyRequests` app error.
+ * framework `TooManyRequests` app error with `scope`, `retryAfterSeconds`, and
+ * `resetAt` details. The bucket key is never sent to clients; denials emit a
+ * `rateLimit.denied` instrumentation event that carries the key for operators.
  *
- * @param options - Optional key builders and client-IP resolver.
+ * @param options - Optional key builders and client-IP source.
  * @returns A server hook backed by `ctx.ports.rateLimit`.
  */
 export declare function createRateLimitHooks<Ctx extends CtxWithRateLimit>(options?: RateLimitOptions<Ctx>): ServerHook<Ctx, RateLimitPorts>;

package/dist/server/hooks/rate-limit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../../src/server/hooks/rate-limit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAEtD,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAChE,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAE5D;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG;IAC3B,SAAS,EAAE,aAAa,CAAC;CAC1B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,EAAE,cAAc,CAAC;IACtB,KAAK,CAAC,EAAE,aAAa,CAAC;CACvB,CAAC;AAEF,KAAK,mBAAmB,GAAG,OAAO,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;AAE3D;;GAEG;AACH,MAAM,WAAW,gBAAgB,CAAC,GAAG;IACnC;;;;OAIG;IACH,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE;QACX,GAAG,EAAE,GAAG,CAAC;QACT,GAAG,EAAE,eAAe,CAAC;QACrB,KAAK,EAAE,cAAc,CAAC;KACvB,KAAK,MAAM,CAAC;IACb;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE;QAChB,GAAG,EAAE,eAAe,CAAC;QACrB,KAAK,EAAE,mBAAmB,CAAC;KAC5B,KAAK,MAAM,CAAC;IACb;;OAEG;IACH,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,eAAe,KAAK,MAAM,GAAG,SAAS,CAAC;CAC5D;AAmFD;;;;;;;;;;GAUG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,SAAS,gBAAgB,EAC/D,OAAO,GAAE,gBAAgB,CAAC,GAAG,CAAM,GAClC,UAAU,CAAC,GAAG,EAAE,cAAc,CAAC,CAsDjC"}
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../../src/server/hooks/rate-limit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE/D,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAKzE,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE/D;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG;IAC3B,SAAS,EAAE,aAAa,CAAC;CAC1B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,EAAE,cAAc,CAAC;IACtB,KAAK,CAAC,EAAE,aAAa,CAAC;CACvB,CAAC;AAEF,KAAK,mBAAmB,GAAG,OAAO,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;AAE3D;;;;;;;;;;;GAWG;AACH,MAAM,MAAM,iBAAiB,GACzB,sBAAsB,GACtB,uBAAuB,GACvB,CAAC,CAAC,GAAG,EAAE,eAAe,KAAK,MAAM,GAAG,SAAS,CAAC,CAAC;AAEnD;;GAEG;AACH,MAAM,WAAW,gBAAgB,CAAC,GAAG;IACnC;;;;OAIG;IACH,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE;QACX,GAAG,EAAE,GAAG,CAAC;QACT,GAAG,EAAE,eAAe,CAAC;QACrB,KAAK,EAAE,cAAc,CAAC;KACvB,KAAK,MAAM,CAAC;IACb;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE;QAChB,GAAG,EAAE,eAAe,CAAC;QACrB,KAAK,EAAE,mBAAmB,CAAC;KAC5B,KAAK,MAAM,CAAC;IACb;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AA4HD;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,SAAS,gBAAgB,EAC/D,OAAO,GAAE,gBAAgB,CAAC,GAAG,CAAM,GAClC,UAAU,CAAC,GAAG,EAAE,cAAc,CAAC,CAuDjC"}